Fake ransomware decryptor double-encrypts desperate victims' files

A fake decryptor for the STOP Djvu Ransomware is being distributed that lures already desperate people with the promise of free decryption. Instead of getting their files back for free, they are infected with another ransomware that makes their situation even worse.

While ransomware operations such as Maze, REvil, Netwalker, and DoppelPaymer get wide media attention due to their high worth victims, another ransomware called STOP Djvu is infecting more people then all of them combined on a daily basis.

With over 600 submissions a day to the ID-Ransomware ransomware identification service, STOP ransomware is the most actively distributed ransomware over the past year.

STOP Djvu ransomware submissions to ID-Ransomware

Emsisoft and Michael Gillespie had previously released a decryptor for older STOP Djvu variants, but newer variants cannot be decrypted for free.

If the ransomware is so common, you may be wondering why it doesn't get much attention?

The lack of attention is simply because the ransomware mostly affects home users infected through adware bundles pretending to be software cracks.

While downloading and installing cracks is not excusable, many of those who are infected simply cannot afford to pay a $500 ransom for a decryptor.

Double-encrypting someone's data with a second ransomware is just kicking someone while they are already down.

Zorab double-encrypts a victim's data

Unfortunately, this is what a new ransomware called Zorab discovered by Michael Gillespie is doing.

The creators of the Zorab ransomware have released a fake STOP Djvu decryptor that does not recover any files for free but instead encrypts all of the victim's already encrypted data with another ransomware.

Fake STOP Djvu decryptor

When a desperate user enters their information in the phony decryptor and clicks on 'Start Scan,' the program will extract another executable called crab.exe and saves it to the %Temp% folder.