Fake ransomware decryptor double-encrypts desperate victims' files



A fake decryptor for the STOP Djvu Ransomware is being distributed that lures already desperate people with the promise of free decryption. Instead of getting their files back for free, they are infected with another ransomware that makes their situation even worse.


While ransomware operations such as Maze, REvil, Netwalker, and DoppelPaymer get wide media attention due to their high worth victims, another ransomware called STOP Djvu is infecting more people then all of them combined on a daily basis.


With over 600 submissions a day to the ID-Ransomware ransomware identification service, STOP ransomware is the most actively distributed ransomware over the past year.


STOP Djvu ransomware submissions to ID-Ransomware


Emsisoft and Michael Gillespie had previously released a decryptor for older STOP Djvu variants, but newer variants cannot be decrypted for free.


If the ransomware is so common, you may be wondering why it doesn't get much attention?

The lack of attention is simply because the ransomware mostly affects home users infected through adware bundles pretending to be software cracks.


While downloading and installing cracks is not excusable, many of those who are infected simply cannot afford to pay a $500 ransom for a decryptor.


Double-encrypting someone's data with a second ransomware is just kicking someone while they are already down.


Zorab double-encrypts a victim's data

Unfortunately, this is what a new ransomware called Zorab discovered by Michael Gillespie is doing.

The creators of the Zorab ransomware have released a fake STOP Djvu decryptor that does not recover any files for free but instead encrypts all of the victim's already encrypted data with another ransomware.

Fake STOP Djvu decryptor


When a desperate user enters their information in the phony decryptor and clicks on 'Start Scan,' the program will extract another executable called crab.exe and saves it to the %Temp% folder.


Extracting and executing the crab.exe program


Crab.exe is another ransomware called Zorab, which will begin to encrypt the data on the computer. When encrypting files, the ransomware will append the .ZRB extension to the file's name.


Zorab encrypted files


The ransomware will also create ransom notes named '--DECRYPT--ZORAB.txt.ZRB' in each folder that a file is encrypted. This note contains instructions on how to contact the ransomware operators for payment instructions. 


Zorab ransom note


This ransomware is currently being analyzed, and users should not pay the ransom until it is confirmed no weakness can be used to recover Zorab encrypted files for free.



IOCs

Hashes:

Fake decryptor: 1abf41be04801cfc3478502127abc47c2d84253ab659d576e5c02cc0b716c782


Associated files:

Decryptor Djvu mlagham.exe
%Temp%crab.exe
--DECRYPT--ZORAB.txt.ZRB


Ransom note text:

+-= ZORAB =-+—

Attention! Attention! Attention!

Your documents, photos, databases and other important files are encrypted and have the extension: .ZRB

Don't worry, you can return all your files!

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

if you want to decrypt your files

The only method of recovering files is to purchase decrypt tool

This tool will decrypt all your encrypted files.

To get this software you need write on our e-mail: zorab28@protonmail.com

What guarantees do we give to you?

Its just a business. We absolutely do not care about you and your deals, except getting benefits.

You can send 2 your encrypted file from your PC and we decrypt it for free.

+--Warning--+
 
DONT try to change files by yourself, DONT use any third party software for restoring your data 

Your personal id: xxx


Associated emails:

zorab28@protonmail.com

Source: Paper.li