Fake Ransomware Decryptor encrypts files again

[German]Cyber criminals ostensibly offer a decryption tool for files encrypted by ransomware. If you use the STOP Divu Ransomware-Decryptor tool, the encrypted files are encrypted a second time.


If you are affected by ransomware and find encrypted files on your network drives or hard drives, you may be looking for decryptors to decrypt the files again. Cyber criminals take advantage of this. The most active ransomware is called STOP Divu – Bleeping Computer published this article in November 2019.

Fake STOP Divu ransomware decryptor

And for this ransomware cyber criminals have put a new ransomware disguised as a decryptor on the net. Whoever uses this program is practically out of the frying pan into the fire. I came across the facts of the case via the following tweet from Michael Gillespie.

The Decryptor STOP Divu is a ransomware that encrypts the already encrypted files once again. Then there is actually no chance to ever get back to the original files.


The colleagues from Bleeping Computer have taken it up in the above tweet and have included some more details in this article. Conclusion from the whole thing: Don’t pay a ransom to the blackmailers – it’s not sure if a working decryptor will come and if not confidential data will be leaked later. And a decryption program should only be obtained from trustworthy security researchers.

A legit decriptor from Emisoft

Addendum: Emisoft has informed me, that STOP is the most prevalent ransomware by far and accounts for approximately one half of all ransomware incidents. Emisoft released a decryptor for STOP in October 2019 which has since been downloaded more than 900,000 times.
Because the decryptor is so frequently sought out, criminals created a fake STOP decryptor which, rather than decrypting files encrypted by STOP, actually encrypts them for a second time. That ransomware is known as Zorab (Details here). So Emisoft now created a decryptor for Zorab which is available here.

To get the encrypted data back, victims will need to first run the Zorab decryptor and then run the STOP decryptor. To complicate matters further, the STOP decryptor only works for files encrypted by older variants so, in some cases, people may still need to pay for a key to fully recover their data. Thx to Emisoft for that hint.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *