Skip to main content

Fake ransomware decryptor installs additional ransomware

(Image credit: Image Credit: Christiaan Colen / Flickr)

What’s worse than suffering a ransomware attack? Having your already encrypted files encrypted again, by a completely different ransomware. This is exactly what happens to victims of a fake STOP Djvu ransomware decrpytor, currently circulating online.

As discovered by ransomware hunter Michael Gillespie, the fake decryptor is being advertised as a solution to a STOP Djvu infection, but instead subjects victims to a further ransomware attack.

According to Bleeping Computer, STOP Djvu ransomware is extremely pervasive, infecting more people every day than the biggest players (Maze, REvil, Netwalker and DoppelPaymer) combined. The reason it hasn’t received proportional media coverage is because it targets individuals, as opposed to enterprises.

The secondary infection is brought about by STOP Djvu victims searching the web for a free decryptor, likely motivated by the fact that free decryptors were published for earlier iterations.

After downloading and running the fake decryptor and clicking on the "Start Scan" button, the program runs another executable (crab.exe), which infects the machine with Zorab ransomware.

At the moment, there is no free decryptor for Zorab, and victims are advised to wait until the malware has undergone analysis.