Zorab ransomware creators have done the worst by creating a fake decryptor to deceive the public.
Just as researchers are diving into work to find out solutions for the plethora of ransomware that are being released, ransomware creators are also working hard to beat the efforts of these researchers by introducing fake decryptors.
June 5 was the day when Bleeping Computer revealed a surprising fact. It found out that the creators of Zorab ransomware were callous enough to bring up a fake decryptor for the malware which they called STOP Djvu decryptor. Victims complained that when they launched the program in a bid to recover their encrypted files, another encryption occurred.
The fake decryptor presents a file with the crab.exe extension. This crab.exe, unknown to victims, is the Zorab ransomware. Opening this will cause another encryption giving the file a .zrb extension.
Ransomware encrypting twice
Brett Callow of Emsisoft believes that STOP is one of the most common threats to computers that will demand a ransom to be cleared. Brett says 50% of all attacks are caused by the STOP ransomware:
“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that. Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”
Callow encourages people to try the free tool released by Emsisoft. Their free tool and other genuine ones are created to tackle particular types of ransomware.
In addressing the public, Callow said:
“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source. Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”
Recent no-fee ransomware decryptor tools in use
There are already some free decryptor tools for specific ransomware. Thanks to the activities of some selfless tech companies.
Telefonica, a Spanish telecommunications company, launched a decryptor tool on June 3 to attack the VCryptor ransomware.
The following day (June 4), Emsisoft came up with theirs but this time, for the Tycoon ransomware.