Warning! Fake Djvu decryptor spreads Zorab ransomware

STOP/Djvu ransomware victims – do not download a free decryptor unless it's official or you will get your files re-encrypted

Fake DJVU decryptor Criminals spread rogue STOP/Djvu ransomware decryptor, which disguises Zorab ransomware payload under the main installer

Free STOP/Djvu ransomware decryptor for the latest versions of this dangerous virus – sounds good to be true, isn't it? At the very beginning of June 2020, cybersecurity researchers spotted catchy offers to download a decryption software for the Djvu ransomware family members that have been launched after August 2019. These variants, including Zwer[1], Nlah, Zipe[2], Kkll, Pezi, and many others restrict people's access to personal files leaving only one option – to pay the ransom for criminals to unlock those files.

Unfortunately, the supposed Djvu decryptor is fake. According to the famous ransomware researchers Michale Gillespie[3], this software is yet another ransomware. If the Djvu victim downloads the supposed free decryption tool, the software manifests in a form request where an ID number and extension have to be submitted. However, instead of unlocking the files, the so-called “Decrypter DJVU” drops the crab.exe executable, which launches the ransomware payload and double-encrypts the data on the host machine.

Zorab ransomware instead free recovery software download

Researchers have downloaded the decryptor for testing as soon as it has been revealed. Initially, this tool resembles the decryptor. When the tool is launched, it generates a pop-up window asking for an ID number and extension name – just like the regular decryptor does.

However, DJVU decrypter simply camouflages the Zorab ransomware[4] virus, which launched by .crab.exe re-attacks personal files stored on the host machine and locks each of them using a different file extension .ZRB.

The encryption of encrypted files happens when the owner of the PC clicks on the Start Scan button. Thus, all the hope that the Djvu ransomware victim had to decrypt files shatter into pieces by finding a new .ZRB extension accompanied by a '–DECRYPT–ZORAB.txt.ZRB ransom note in different locations.

+ – = ZORAB = – + –
Attention! Attention! Attention!
Your documents, photos, databases and other important files are encrypted and have the extension: .ZRB
Don't worry, you can return all your files!
The only method of recovering files is to purchase decrypt tool and unique key for you.

According to the researchers, this ransomware is not built on the same scheme as Djvu. However, it has some similarities with Jigsaw ransomware, but the genealogy hasn't yet been confirmed. However, it seems that it has been developed by professional hackers who found an easy way to get into the machines – make people download the virus purposely believing it's a cure from another virus.

The new Zorab ransomware virus currently under investigation. Experts have the samples and are analyzing their structure and encryption model. It's advisable not to pay the ransom as long as there is no confirmation that the virus is flawless. Those who have been tricked into downloading this rogue DJVU decrypter should contact certified ransomware researchers from MalwareHunterTeam.

Only Emsisoft's STOP Decryptor can be trusted. Experts are working on the current Djvu variants

STOP or Djvu ransomware is one of the most active cyber threats since 2017. This ransomware has over 230 variants, approximately 120,000 confirmed victims, and an estimated total of 460,000 victims[5]. The beginning of summer 2020 manifested a significant increment in Djvu activity. Illustrating it in numbers, victims of this gang upload over 600 samples every day.

In 2019 Emsisoft, alongside the NoMoreRansom project, has released the official STOPdecryptor, which helped thousands of Djvu victims to unlock files encrypted by different variants of this ransomware. The only condition – the encryption by the virus is based on offline IDs (the virus has no contact with remote servers). All victims whose personal ID is 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0[6] can download the official decryptor and get the files back for no cost.

In general, the Djvu ransomware variants that have been launched after August 2019 will not be able to recover their files unless paying the redemption. The changed Djvu is using offline keys, meaning that there are thousands of IDs and decryption keys that are all unique and impossible to guess.

Typically, Djvu ransom is either $490 or $980 in Bitcoins. It depends on the time when the victim contacts the criminals, so those who are about to pay should do not wait for long. However, experts are actively working on this ransomware family, so it's only a matter of time when a decryptor emerges, so it's best to backup encrypted files and regularly contact researchers to find out about Djvu decryptor.

To finish this article we'd like to remind our visitors to be cautious. Do not blindly believe in any online offers, especially the ones that offer free data recovery. Otherwise, Zobar ransomware virus can attack PCs and cost you money, data, and nerves.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

Read in other languages