Threat Watch

Fake Ransomware Decryptor

New ransomware is being seen that advertises itself as a decrypter for the STOP Djvu ransomware, one of the most popular ransomware threats used against home users, but it actually adds a second level of encryption. This new ransomware, called Zorab, shows a phony site providing a program that prompts ransomware victims to enter their information and click “Start Scan.” The program extracts another executable file called crab.exe and saves it to the %Temp% folder on the infected computer. This new executable then encrypts the already encrypted files adding even more trouble for the victim and yet another ransom payment. Zorab also creates a note that gives the user instructions on how to pay the attackers to get their data back. Currently, Zorab is being analyzed for possible flaws that would allow victims to recover files without paying the attackers.

ANALYST NOTES

As with any ransomware, the victim is recommended to never pay the ransom. If infected, the victim should delete the encrypted files and restore them from a backup. Backups are the primary defense against any ransomware. It is recommended to use the 3-2-1 method, maintaining three copies of the data on two separate storage devices with one of them being offsite. The other primary defense is not being infected in the first place, or quickly detecting and responding to intrusions soon after they start. Endpoint Detection and Response (EDR) tools, if monitored, can be the best, last line of defense to stop ransomware operators and other attackers before they have a chance to steal or encrypt files. There are some legitimate programs from reputable security companies that can be used to recover files encrypted by ransomware, but it is important to carefully research the company providing the software before attempting to use it. Remote Desktop Protocol (RDP) exposed to the Internet and malware distributed through phishing are the primary methods of ransomware distribution. If the email looks odd then it is generally not a good idea to follow any links or open attached files.

To read more: https://www.bleepingcomputer.com/news/security/fake-ransomware-decryptor-double-encrypts-desperate-victims-files/