{"id":14673,"date":"2020-06-08T01:47:22","date_gmt":"2020-06-07T23:47:22","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=14673"},"modified":"2020-06-09T09:46:27","modified_gmt":"2020-06-09T07:46:27","slug":"fake-ransomware-decryptor-verschlsselt-dateien-neu","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/06\/08\/fake-ransomware-decryptor-verschlsselt-dateien-neu\/","title":{"rendered":"Fake Ransomware Decryptor encrypts files again"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/06\/08\/fake-ransomware-decryptor-verschlsselt-dateien-neu\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Cyber criminals ostensibly offer a decryption tool for files encrypted by ransomware. If you use the STOP Divu Ransomware-Decryptor tool, the encrypted files are encrypted a second time.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/aee4bc885e364bb1b246d840b8669b26\" alt=\"\" width=\"1\" height=\"1\" \/>If you are affected by ransomware and find encrypted files on your network drives or hard drives, you may be looking for decryptors to decrypt the files again. Cyber criminals take advantage of this. The most active ransomware is called STOP Divu &#8211; Bleeping Computer published <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/meet-stop-ransomware-the-most-active-ransomware-nobody-talks-about\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> in November 2019.<\/p>\n<h2>Fake STOP Divu ransomware decryptor<\/h2>\n<p>And for this ransomware cyber criminals have put a new ransomware disguised as a decryptor on the net. Whoever uses this program is practically out of the frying pan into the fire. I came across the facts of the case via the following tweet from Michael Gillespie.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Hmm, someone released a decryptor for <a href=\"https:\/\/twitter.com\/hashtag\/STOP?src=hash&amp;ref_src=twsrc%5Etfw\">#STOP<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Djvu?src=hash&amp;ref_src=twsrc%5Etfw\">#Djvu<\/a>?<br \/>\nOh wait&#8230; it's more fucking <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\">#ransomware<\/a>. Don't trust anything you find online saying it can decrypt Djvu unless it is from ME. This is just one example of the shaddy shit victims are falling for when they don't believe me. <a href=\"https:\/\/t.co\/eWjtB8UpJe\">pic.twitter.com\/eWjtB8UpJe<\/a><\/p>\n<p>\u2014 Michael Gillespie (@demonslay335) <a href=\"https:\/\/twitter.com\/demonslay335\/status\/1268908281151586304?ref_src=twsrc%5Etfw\">June 5, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The Decryptor STOP Divu is a ransomware that encrypts the already encrypted files once again. Then there is actually no chance to ever get back to the original files.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Fake ransomware decryptor double-encrypts desperate victims' files &#8211; <a href=\"https:\/\/twitter.com\/LawrenceAbrams?ref_src=twsrc%5Etfw\">@LawrenceAbrams<\/a><a href=\"https:\/\/t.co\/Kz8Tyg8bIf\">https:\/\/t.co\/Kz8Tyg8bIf<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1269359738397118465?ref_src=twsrc%5Etfw\">June 6, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The colleagues from Bleeping Computer have taken it up in the above tweet and have included some more details in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-ransomware-decryptor-double-encrypts-desperate-victims-files\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>. Conclusion from the whole thing: Don't pay a ransom to the blackmailers &#8211; it's not sure if a working decryptor will come and if not confidential data will be leaked later. And a decryption program should only be obtained from trustworthy security researchers.<\/p>\n<h2>A legit decriptor from Emisoft<\/h2>\n<p><strong>Addendum<\/strong>: Emisoft has informed me, that\u00a0STOP is the most prevalent ransomware by far and accounts for approximately one half of all ransomware incidents. Emisoft released a decryptor for STOP in October 2019 which has since been downloaded more than 900,000 times.<br \/>\nBecause the decryptor is so frequently sought out, criminals created a fake STOP decryptor which, rather than decrypting files encrypted by STOP, actually encrypts them for a second time. That ransomware is known as Zorab (<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-ransomware-decryptor-double-encrypts-desperate-victims-files\/\" target=\"_blank\" rel=\"noopener noreferrer\">Details here<\/a>). So Emisoft now created a decryptor for Zorab which is <a href=\"https:\/\/www.emsisoft.com\/ransomware-decryption-tools\/zorab\" target=\"_blank\" rel=\"noopener noreferrer\">available here<\/a>.<\/p>\n<p>To get the encrypted data back, victims will need to first run the Zorab decryptor and then run the STOP decryptor. To complicate matters further, the STOP decryptor only works for files encrypted by older variants so, in some cases, people may still need to pay for a key to fully recover their data. Thx to Emisoft for that hint.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Cyber criminals ostensibly offer a decryption tool for files encrypted by ransomware. If you use the STOP Divu Ransomware-Decryptor tool, the encrypted files are encrypted a second time.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[243,69],"class_list":["post-14673","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-ransomware","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=14673"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14673\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=14673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=14673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=14673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}