Fake decryption tools for ransomware encrypting user files again

Although researchers and ethical hackers have made massive efforts against cybercrime, threat actors always find a way to compromise unsuspecting users, experts from a pentesting course say. Free decryption tools are a good example of this, even though these tools have helped millions of ransomware victims.

These tools are developed by ethical hackers so that users who have suffered encryption malware infections can regain access to their documents without having to negotiate with hackers. However, some cybercriminal groups have begun to publish some fake decryption tools that actually contain malware.

According to a report recently published by experts from a pentesting course, the developers of the Zorab ransomware created a fake STOP Djvu decryption tool. When victims download this tool and try to use it to decrypt their information, a second encryption will actually be added, as this purported security tool is also a variant of ransomware.

When the victim opens the tool, the software extracts an executable called crab.exe that contains the Zorab ransomware. Once it runs, the tool will encrypt all the files, adding the .ZRB extension.

Specialists from a pentesting course company point out that STOP Djvu is the most common ransomware variant, as it is found in nearly 50% of reported attacks: “Cybercriminal groups have created multiple fake versions of the decryption tool for STOP in order to spread other malware variants, resulting in a second encryption,” says researcher Call Brettow, from Emsisoft.

This firm has published multiple free tools to remove encryption, a practice that has helped thousands of people, although experts mention that it is necessary to note that their search has generated new security problems: “Today more than ever users should be careful when downloading security software or applications, as many of these tools are not downloaded from trusted sources and recognized by the cybersecurity community; the use of cracks or keygens should also be avoided, as these tools are often used to spread new variants of malware,” concludes Callow.  

Currently there are hundreds (or even thousands) of free decryption tools, so this will remain a widely exploited attack vector. To mitigate this risk, users can check if there is a useful tool for their case on the No More Ransom platform, which features information from thousands of ransomware variants and contains useful decryption tools in many cases.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.