Creators behind Zorab ransomware launched a fake tool that double-encrypts files affected by the attack.
On June 5, it has been reported by Bleeping Computer that the creators behind released a fake STOP Djvu decryptor. Instead of recovering a victim’s data, this software appears to encrypt their files further with a second ransomware.
However, when the victim opens one of these tools, the software extracts an executable file called crab.exe, as this is the Zorab ransomware itself. Once executed, the tool will encrypt all files present with a .ZRB extension.
Brett Callow, the threat analyst of the malware lab Emsisoft, said that STOP is the most prevalent ransomware by far, as it accounts for approximately one-half of all incidents.
“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that. Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”
Likewise, Callow refers to one of several free tools launched recently by Emsisoft. These tools allow people to decrypt files affected by specific ransomware variants.
Zorab ransomware creators are spreading a malicious tool that double-encrypts files affected by a STOP attack https://t.co/eyVLZ2SiJ7 — Cointelegraph (@Cointelegraph) June 7, 2020
As per the report, he issued the following warning to the public:
“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source. Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”
Thus, on June 4, Emsisoft launched a free decryptor tool, which enables victims to recover files encrypted by Tycoon ransomware attacks without needing to pay the ransom.