[German]Cyber criminals ostensibly offer a decryption tool for files encrypted by ransomware. If you use the STOP Divu Ransomware-Decryptor tool, the encrypted files are encrypted a second time.
If you are affected by ransomware and find encrypted files on your network drives or hard drives, you may be looking for decryptors to decrypt the files again. Cyber criminals take advantage of this. The most active ransomware is called STOP Divu – Bleeping Computer published this article in November 2019.
Fake STOP Divu ransomware decryptor
And for this ransomware cyber criminals have put a new ransomware disguised as a decryptor on the net. Whoever uses this program is practically out of the frying pan into the fire. I came across the facts of the case via the following tweet from Michael Gillespie.
Hmm, someone released a decryptor for #STOP #Djvu?
Oh wait… it’s more fucking #ransomware. Don’t trust anything you find online saying it can decrypt Djvu unless it is from ME. This is just one example of the shaddy shit victims are falling for when they don’t believe me. pic.twitter.com/eWjtB8UpJe
— Michael Gillespie (@demonslay335) June 5, 2020
The Decryptor STOP Divu is a ransomware that encrypts the already encrypted files once again. Then there is actually no chance to ever get back to the original files.
— BleepingComputer (@BleepinComputer) June 6, 2020
The colleagues from Bleeping Computer have taken it up in the above tweet and have included some more details in this article. Conclusion from the whole thing: Don’t pay a ransom to the blackmailers – it’s not sure if a working decryptor will come and if not confidential data will be leaked later. And a decryption program should only be obtained from trustworthy security researchers.
A legit decriptor from Emisoft
Addendum: Emisoft has informed me, that STOP is the most prevalent ransomware by far and accounts for approximately one half of all ransomware incidents. Emisoft released a decryptor for STOP in October 2019 which has since been downloaded more than 900,000 times.
Because the decryptor is so frequently sought out, criminals created a fake STOP decryptor which, rather than decrypting files encrypted by STOP, actually encrypts them for a second time. That ransomware is known as Zorab (Details here). So Emisoft now created a decryptor for Zorab which is available here.
To get the encrypted data back, victims will need to first run the Zorab decryptor and then run the STOP decryptor. To complicate matters further, the STOP decryptor only works for files encrypted by older variants so, in some cases, people may still need to pay for a key to fully recover their data. Thx to Emisoft for that hint.