Using a fake decryption tool to inject second ransomware is rather uncommon, but security researcher Michael Gillespie recently discovered a wave of fake STOP (Djvu) decryptors that double-encrypt a victim’s data.
A new ransomware strain has been taking advantage of the most actively distributed ransomware STOP Djvu to lure its victims.
- The strain called “Zorab” pretends to be a decryption tool to recover ransomware-encrypted data, but instead of recovering any files for free, it encrypts victims’ existing encrypted data with another ransomware.
- Zorab is disguised as a decryptor for the STOP (Djvu) ransomware family and double-encrypts the files by luring victims to second ransomware.
- When encrypting files, the ransomware will add the .ZRB extension to the file's name and will also create ransom notes named '--DECRYPT--ZORAB.txt.ZRB' in each encrypted folder.
STOP Djvu Ransomware
The newer variants cannot be decrypted for free but for the earlier variants, Emsisoft released the decryptor. It mainly targeted victims through cracked software, adware bundles (pretending to be software cracks), and shady sites.
- In October 2019, STOP developers teamed up with shady sites and adware bundles to promote fake software cracks or free programs affecting home users.
- According to Bleeping Computer’s ID-Ransomware ransomware identification service report released in September 2019, it is the most actively distributed ransomware in the wild (almost 60-70 % of ransomware submissions a day).
- The first STOP Djvu variant was identified In January 2019, spreading the new .TRO variant through crack downloads and adware bundles.
In the first place, organizations and users should focus on preventing a ransomware infection. Do not open dubious and irrelevant emails received from unknown or suspect senders. Users should only use official and verified download channels. Stop using illegal activation tools ("cracks") and third-party updaters.