A fake decryptor has been distributed online to lure desperate victims of ransomware attacks into a trap. Using bait in the form of a free decryption solution for those with affected files, the malicious decryptor instead unleashes an attack of its own double-encrypting the data and demanding payment for its release.

Low-profile but prevalent ransomware attacks

The fraudulent decryptor is described as a free antidote for STOP Djvu Ransomware. While not as well-known as major ransomware collectives like Maze, Netwalker, DoppelPaymer and REvil who regularly hit headlines with their attacks on large organisations, STOP Djvu is now infecting the systems of more individuals than all of these groups combined.

Over the last year, STOP Djvu has been associated with more than 600 daily submissions to the ransomware identification service, ID-Ransomware, making it currently the most actively released ransomware.

Threat analyst at Emsisoft’s malware lab, Brett Callow confirmed that STOP Djvu accounts for around half of all ransomware incidents reported:

“Unfortunately, criminals often create fake versions of popular software in order to spread malware, and they have now created a fake version of our decryptor to do just that. Running the fake tool will not recover data that was encrypted by STOP, it will actually encrypt it for a second time.”

Despite being so common, STOP Djvu ransomware gets little press as it mainly impacts home users who are infected via adware bundles that are impersonating software cracks. While the download and installation of cracks is never excusable, most of the individuals with infected files cannot afford the required ransom to pay for a decryptor. Callow commented:

“This illustrates why people should exercise caution when downloading software and apps and ensure it has come from a reputable and trustworthy source. Similarly, cracks, activators, and keygens should be avoided as these are also frequently used to spread ransomware and other malware.”

As an antidote to this prolific ransomware, Emsisoft along with malware hunter Michael Gillespie, previously launched a decryptor capable of unlocking older versions of STOP Djvu, however the newer variants released cannot be decrypted without cost.

Double-encryption disguised as salvation

The new ransomware that double-encrypts victim’s files is named Zorab and was identified by Gillespie.

Zorab’s creators have now launched a bogus STOP Djvu decryptor resembling the tool developed by Gillespie and Emsisoft. However, instead of recovering data for free, it encrypts the already encrypted files with yet more ransomware. After the frantic user enters their data into the decryptor and selects “Start Scan”, the Zorab ransomware encrypts their information and leaves digital notes requesting ransom amounts and payment instructions including how to contact those behind the attack.

Emsisoft has released multiple free decryption tools including the recently released option for recovering data encrypted using Tycoon ransomware on June 4.

The Zorab ransomware is now being analysed and users hit by the double-encryption have been advised not to pay any ransoms until researchers can confirm that no weakness can be discovered that allows free recovery of files that are encrypted.