Cyber criminals can be really annoying. This time round hackers have created malware in the shape of a decryption software that helps ransomware attack victims by encryption. The fake decryption tool will actually double encrypt your compromised files, not knowing you ‘re jumping from the frying pan to the actual fire.
A recent report by information security and technology news publication, Bleeping Computers, fake ransomware decryption software by STOP Djvu Ransomware, double-encrypts files that create a much bigger victim problem. According to the report, it lures already desperate victims with the guarantee of a free malware decryption tool, infecting them with another ransomware instead.
The malware dubbed “Zorab” was uncovered by the creator of ID Ransomware, Michael Gillespie. There are existing decryption tools that don’t charge huge amounts of money to decrypt files, exactly what the fake decryption tool is trying to do. The malware promises to decrypt files at no cost, but it eventually encrypts them multiple times.
Hmm, someone released a decryptor for #STOP #Djvu?
Oh wait… it's more fucking #ransomware. Don't trust anything you find online saying it can decrypt Djvu unless it is from ME. This is just one example of the shaddy shit victims are falling for when they don't believe me. pic.twitter.com/eWjtB8UpJe
— Michael Gillespie (@demonslay335) June 5, 2020
Ransomware operatives such as REvil, Netwalker, DoppelPaymer and Maze are popular due to their high profile victims and attracting huge ransoms. Now there is another ransomware, STOP Djvu, which is already infecting more victims than the aforementioned popular operatives combined together on a daily basis.
How the fake decryption tool works
When a victim downloads the fake decryption tool and starts scanning his computer system by clicking the ‘start scan’ button, the ransomware draws out an executable file dubbed crab.exe; this is the zorab malware itself. Once this file is deployed, the fake decryption software double encrypts the entire files in the system with a .ZRB extension.
Additionally, the ransomware creates ransom notes in every encrypted folder labeled ‘–DECRYPT–ZORAB.txt.ZRB.’ Inside the notes, there are details on how to reach the ransomware attackers to pay the ransom. The creation of a fake decryption tool was a clever idea to easily and quickly spread malware. Indeed, the Bleep Computer’s report described STOP Djvu Ransomware as “the most actively distributed ransomware over the past year.