Admin      12/06/2020 10:30      114

Encrypting the encrypted: Zorab Trojan in STOP decryptor

Cybercriminals are distributing ransomware disguised as a tool for decrypting files encrypted by the STOP Trojan.

What do people do if they discover that ransomware has encrypted their files? First panic, probably, then worry, then look for ways to recover data without paying any ransom to the attackers (which would be pointless, anyway). In other words, they go online to Google a solution or ask for advice on social networks. That is exactly what the creators of the Zorab Trojan want, having embedded the malware into a tool that purports to help STOP/Djvu victims.

Fake STOP decryptor as bait.

In fact, the cybercriminals have decided to exacerbate the problems already facing the victims of the STOP/Djvu ransomware, which encrypts data and, depending on the version, assigns an extension — options include .djvu, .djvus, .djvuu, .tfunde, and .uudjvu — to the modified files. Zorab’s creators released a utility that supposedly decrypts these files, but it actually encrypts them all over again. You can indeed decrypt files that earlier versions of STOP compromised — Emsisoft released a tool back in October 2019. But modern versions use a more reliable encryption algorithm that current technology cannot crack. So at least for now, no decryption utility exists for modern versions of STOP/Djvu.

We say “for now” because decryption tools appear in one of two cases: either the cybercriminals make an error in the encryption algorithm (or simply use a weak cipher), or the police locate and seize their servers. Sure, the creators might voluntarily publish the keys, but that’s a very long shot — and even if they do, infosec companies still have to create a handy utility that victims can use to restore their data.


How to know if a decryptor is fake.

Anonymous well-wishers are extremely unlikely to create a decryption utility and place it on some unknown site, or supply a direct link on a forum or social network. You can find genuine utilities on infosec companies’ websites or on specialized portals dedicated to combating ransomware, such as nomoreransom.org. Treat tools hosted elsewhere with suspicion. Cybercriminals rely on panic, knowing someone who has lost files to a cryptor will grasp at any straw. Even if you believe a tool is bona fide, though, it’s important to remain calm and objective and verify the site properly. If you have any suspicions at all about its legitimacy, don’t touch the tool.

Encrypting the encrypted: Zorab Trojan in STOP decryptor.


Cybercriminals are distributing ransomware disguised as a tool for decrypting files encrypted by the STOP Trojan.