Watch out for fake ransomware decryption tools

As free ransomware decryption tools began to enter the market, a wave of counterfeit software claiming to decrypt files affected by such viruses began to spread.

According to a report released by Bleeping Computer on June 5, the creators behind the Zorab ransomware released a fake STOP Djvu decryptor. However, instead of recovering the victim’s data, it seems that this software encrypts its files additionally with a second ransomware.

When the victim opens one of these tools, the software extracts an executable file called crab.exe. This is the Zorab virus. Once executed, the tool will encrypt all available files with the .ZRB extension.

Double encrypted files


In an interview with Cointelegraph, Brett Callow, a threat analyst at the Emsisoft malware lab, said that STOP was the most common ransomware so far. He states that it accounts for approximately half of all incidents:

“Unfortunately, criminals often create fake versions of popular software to distribute malware, and now they have created a fake version of our decryptor to do just that. Launching the fake tool will not recover the data that was encrypted by STOP, it will actually encrypt it a second time. “


Callow refers to one of several free tools recently launched by Emsisoft. These tools allow people to decrypt files affected by specific ransomware.

The Emsisoft threat analyzer issued the following warning to the public:

“This illustrates why people need to be extra careful when downloading software and applications and make sure it comes from a reputable and reliable source. Similarly, legs, activators and ‘keygens’ should be avoided, as they are also often used to distribute extraction software and other malware. “

The latest free decryption tools have been released


On June 3, the Spanish-based telecommunications conglomerate Telefónica launched a free data recovery tool encrypted by the sophisticated VCryptor software.

Emsisoft also released a free decryption tool on June 4, which allows victims to recover files encrypted by ransomware attacks Tycoon without having to pay a ransom.