A fake decryptor Zorab Ransomware disguised as STOP Djvu Ransomware double-encrypts victims’ files
Earlier we found that Djvu Ransomware hitting a large number of users who used use cracked software, warez, adware bundles, and shady sites. Now a fake decryptor called STOP Djvu Ransomware is being distributed to the target victims. The fake decryptor promises free decryption for Djvu infected files. Instead of getting their files decrypted for free, the victims are infected with another ransomware that makes their situation even worse.
This fake decryptor targets consumers through cracked software, adware bundles, and shady sites. A relatively common ransomware strain, Djvu ransomware was involved in various digital attacks over the past year or so. Back in January 2019, STOP used adware installers disguised as cracks as a new method of distributing itself to unsuspecting users.
According to a report, it was found that with over 600 submissions a day to the ID-Ransomware ransomware identification service, STOP ransomware is the most actively distributed ransomware over the past year.
As the researchers reported, the attack hit victims when they enter their information into a fake STOP Djvu decryptor and clicked a “Start Scan” button. In the process, the program extracted another process called “crab.exe” and saved it to the %Temp% folder.
Crab.exe is another ransomware called Zorab, which will begin to encrypt the data on the computer. When encrypting files, the ransomware will append the.ZRB extension to the file’s name. The ransomware also creates ransom notes named ‘–DECRYPT–ZORAB.txt.ZRB’ in each folder that a file is encrypted.
Well, the researchers and security experts are finding a way to break the Djvu ransomware, by the time we suggest you that no free decryptor can remove the malware inserted from ransomware. For more news on cybersecurity and tech subscribe to our newsletter from here