{"id":16888,"date":"2020-06-08T16:18:43","date_gmt":"2020-06-08T20:18:43","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/fake-djvu-ransomware-decryptor\/16888\/"},"modified":"2020-09-02T21:30:55","modified_gmt":"2020-09-02T17:30:55","slug":"fake-djvu-ransomware-decryptor","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/fake-djvu-ransomware-decryptor\/16888\/","title":{"rendered":"Encrypting the encrypted: Zorab Trojan in STOP decryptor"},"content":{"rendered":"

What do people do if they discover that ransomware has encrypted their files? \u00a0First panic, probably, then worry, then look for ways to recover data without paying any ransom to the attackers (which would be pointless, anyway<\/a>). In other words, they go online to Google a solution or ask for advice on social networks. That is exactly what the creators of the Zorab Trojan<\/a> want, having embedded the malware into a tool that purports to help STOP\/Djvu victims.<\/p>\n

Fake STOP decryptor as bait<\/h2>\n

In fact, the cybercriminals have decided to exacerbate the problems already facing the victims of the STOP\/Djvu ransomware, which encrypts data and, depending on the version, assigns an extension \u2014 options include .djvu, .djvus, .djvuu, .tfunde, and .uudjvu \u2014 to the modified files. Zorab\u2019s creators released a utility that supposedly decrypts these files, but it actually encrypts them all over again.<\/p>\n

You can indeed decrypt files that earlier versions of STOP compromised \u2014 Emsisoft released a tool<\/a> back in October 2019. But modern versions use a more reliable encryption algorithm that current technology cannot crack. So at least for now, no decryption utility exists for modern versions of STOP\/Djvu.<\/p>\n

We say \u201cfor now\u201d because decryption tools appear in one of two cases: either the cybercriminals make an error in the encryption algorithm (or simply use a weak cipher), or the police locate and seize their servers. Sure, the creators might voluntarily publish the keys, but that\u2019s a very long shot \u2014 and even if they do, infosec companies still have to create a handy utility that victims can use to restore their data. That happened with the keys for files hit by Shade ransomware, and we published a decryption program in April this year<\/a>.<\/p>\n

How to know if a decryptor is fake<\/h2>\n

Anonymous well-wishers are extremely unlikely to create a decryption utility and place it on some unknown site, or supply a direct link on a forum or social network. You can find genuine utilities on infosec companies\u2019 websites or on specialized portals dedicated to combating ransomware, such as nomoreransom.org<\/a>. Treat tools hosted elsewhere with suspicion.<\/p>\n

Cybercriminals rely on panic, knowing someone who has lost files to a cryptor will grasp at any straw. Even if you believe a tool is bona fide, though, it\u2019s important to remain calm and objective and verify the site properly. If you have any suspicions at all about its legitimacy, don\u2019t touch the tool.<\/p>\n

How to guard against Zorab and other ransomware<\/h2>\n