The report released by Bleeping Computer on June 5 suggests that the creators behind Zorab ransomware created and released a fake STOP Djvu Decryptor. This software appears to attack their files further with second ransomware causing another encrypt Instead of recovering a victim’s data.
Zorab compounds existing problems
Imagine: for years, encrypting ransomware has been a nightmare scenario for unwitting computer users. They click the wrong link or open the wrong email, and suddenly find themselves in a situation in which all of their files–their most precious photos, the novels they’ve been working on, their musical projects, their work–is encrypted; the ransomware claims that only way to decrypt it is to pay a huge fee.
Of course, there have been anti-malware tools that have been developed to decrypt files without paying exorbitant amounts of money: this is exactly what this new malware is imitating. It claims to help victims of ransomware decrypt their files for free and then double-encrypts them.
When opening one of these tools, this fake Decryptor software extracts an executable file by the name of crab.exe. This is actually the Zorab ransomware. When the software is executed, the tool will encrypt all of the files present with a ZRB extension.
In a way, the creators of Zorab were quite clever: STOP Dvju is thought to be one of the most prolific–if not the most prolific–pieces of ransomware on the books. Therefore, creating a fake decryption tool for STOP is a quick and easy way to spread another piece of ransomware.
Threat analyst of the malware lab Emsisoft, Brett Callow, pointed out that STOP is the most prevalent ransomware used across the world.
Bleeping Computer described STOP as “the most actively distributed ransomware over the past year.”
The publication also said that Zorab is currently being analyzed and that victims should not pay the ransoms that are being demanded of them until it is confirmed that there is no way to exploit weaknesses in Zorab’s software.
Callow refers to one of several free tools launched recently by Emsisoft. These tools allow people to decrypt files affected by specific ransomware variants.
An Update on new free ransomware Decryptor tools
On June 3, Spain-based telecommunications conglomerate, Telefónica, released a free tool to recover data encrypted by the VCryptor ransomware.
Emsisoft also launched a free Decryptor tool on June 4, which enables victims to recover files encrypted by Tycoon ransomware attacks without needing to pay the ransom.
CoinVault Decryptor Decrypts files affected by CoinVault and Bitcryptor. Created in cooperation with The National High Tech Crime Unit (NHTCU) of the Netherlands’ police and Netherlands’ National Prosecutors.
Now tell us, have you ever experienced a ransomware attack?
Did you pay the ransom?
What ransomware Decryptor tools are you using?
Zorab ransomware: ZORAB stands for a ransomware-type infection. ZORAB was elaborated particularly to encrypt all major file types
Decryptor: tools that convert encrypted data into its original form. It is generally a reverse process of encryption. It decodes the encrypted information so that an authorized user can only decrypt the data because decryption requires a secret key or password.