Encrypting the encrypted: Zorab Trojan in STOP decryptor

Cybercriminals are distributing ransomware disguised as a tool for decrypting files encrypted by the STOP Trojan.

What do people do if they discover that ransomware has encrypted their files?  First panic, probably, then worry, then look for ways to recover data without paying any ransom to the attackers (which would be pointless, anyway). In other words, they go online to Google a solution or ask for advice on social networks. That is exactly what the creators of the Zorab Trojan want, having embedded the malware into a tool that purports to help STOP/Djvu victims.

Fake STOP decryptor as bait

In fact, the cybercriminals have decided to exacerbate the problems already facing the victims of the STOP/Djvu ransomware, which encrypts data and, depending on the version, assigns an extension — options include .djvu, .djvus, .djvuu, .tfunde, and .uudjvu — to the modified files. Zorab’s creators released a utility that supposedly decrypts these files, but it actually encrypts them all over again.

You can indeed decrypt files that earlier versions of STOP compromised — Emsisoft released a tool back in October 2019. But modern versions use a more reliable encryption algorithm that current technology cannot crack. So at least for now, no decryption utility exists for modern versions of STOP/Djvu.

We say “for now” because decryption tools appear in one of two cases: either the cybercriminals make an error in the encryption algorithm (or simply use a weak cipher), or the police locate and seize their servers. Sure, the creators might voluntarily publish the keys, but that’s a very long shot — and even if they do, infosec companies still have to create a handy utility that victims can use to restore their data. That happened with the keys for files hit by Shade ransomware, and we published a decryption program in April this year.

How to know if a decryptor is fake

Anonymous well-wishers are extremely unlikely to create a decryption utility and place it on some unknown site, or supply a direct link on a forum or social network. You can find genuine utilities on infosec companies’ websites or on specialized portals dedicated to combating ransomware, such as nomoreransom.org. Treat tools hosted elsewhere with suspicion.

Cybercriminals rely on panic, knowing someone who has lost files to a cryptor will grasp at any straw. Even if you believe a tool is bona fide, though, it’s important to remain calm and objective and verify the site properly. If you have any suspicions at all about its legitimacy, don’t touch the tool.

How to guard against Zorab and other ransomware

  • Do not follow suspicious links or run executable files if you do not trust their source. If you are looking for a decryptor, the most reliable sources — the places you should start searching — will be noransom.kaspersky.com, nomoreransom.org (a joint project run by several companies), and the sites of other security solution vendors. If you find a utility elsewhere, then we strongly advise checking the legitimacy of its authors and the site where it was published before you even think about using it.
  • Make backup copies of important files.
  • Use a reliable security solutions that detects known ransomware and, when encountering something unknown, identifies and blocks attempts to modify files.

For companies that fear ransomware but rely on other protection, we offer the standalone Kaspersky Anti-Ransomware Tool. Compatible with most security solutions, it detects the threats that can break through their lines of defense.