Researchers have identified a fake ransomware decryptor circulating online that only serves to add to victims’ problems.
The phoney decryptor preys on users infected with the pervasive STOP Djvu ransomware which, unlike the most famous ransomware variants, primarily targets individuals as opposed to businesses.
The second ransomware, called Zorab, infects the user’s device and doubly encrypts their files, rubbing salt into the existing wound.
Fake ransomware decryptor
STOP Djvu is among the most prolific ransomware strains in circulation, infecting a greater number of victims than the infamous Maze, Sodinokibi, Netwalker and DoppelPaymer ransomware combined.
Concealed within rigged software cracks, it infects over 600 users per day, making it the most widely distributed ransomware over the last 12 months.
Decryptors for older iterations of STOP Djvu have previously been made available online for free, which could have led victims to place greater trust in the fraudulent decryptor than they otherwise might.
Once installed and activated, the sham decryptor extracts a second executable, crab.exe, which installs the Zorab ransomware, further encrypts data and deposits a ransom note in each folder containing an encrypted file.
The ransom note demands the victim purchases a decryption tool from the ransomware operator and warns them against using third party software to address the infection.
Zorab is currently undergoing analysis and users are advised to refrain from paying the ransom fee until the malware has been scoured for weaknesses.