Ransomware strains STOP and Zorab are exploiting the desperation of victims with a fake decryptor that double encrypts victims’ files
We can pretty much all agree that hackers are evil. They compromised businesses during a period of a COVID-19 weakened economy. They attacked and locked the devices of people just trying to keep themselves entertained as America struggled to return to normal post lockdowns, and they even targeted the computers being used by our children as homeschooling expanded globally.
But adding insult to injury is a malware that has been developed to imitate the kind of decryption software that is supposed to help people who have already been victims of ransomware encryption attacks.
STOP Ransomware is the Most Prolific Strain of Ransomware Today
Although other ransomware strains have received more media attention due to their attacks on high-profile victims, STOP ransomware, also known as Djvu Ransomware, has infected a larger number of systems as confirmed by the over 600 submissions a day to the ID-Ransomware ransomware identification service. This makes STOP ransomware the most actively distributed ransomware from the Summer of 2019 to Spring of 2020.
A phony decryptor for the STOP Ransomware lures already desperate people with the promise of free decryption of their infected files. Instead of getting access to their files back, they are infected with another layer of ransomware that makes their situation even worse.
Zorab Exploits Targets Infected with STOP Ransomware
There are anti-malware tools that have been developed to decrypt files without paying exorbitant amounts of money online. Knowing this, the hackers behind Zorab have designed a ransomware that claims to help victims of STOP ransomware decrypt their files for free, and then double-encrypts them.
When the victim downloads this fake decryption “tool” and clicks on “Start Scan,” the software extracts an executable file called crab.exe – which is the Zorab ransomware itself. Once executed, the tool will encrypt all the files present on the system with a .ZRB extension.
Zorab also leaves a ransom note named ‘–DECRYPT–ZORAB.txt.ZRB’ that is present in each of the folders it encrypts. The note contains instructions on how to contact the hackers for payment instructions.
“We absolutely do not care about you and your deals, except getting benefits,” the notes read.
The idea behind Zorab was maximum profitability. STOP ransomware is one of the most widely used pieces of ransomware in the world. Therefore, the creators of a fake decryption tool for STOP ransomware stand to make huge profits from a large section of the ransomware-infected community.