Twice entangled: Fake ransomware decryptor encrypts victims’ files again; Honda victim of ransomware

News by Rene Millman

Bogus Stop Djvu lures people with the promise of getting their encrypted data back then delivers another ransomware. Honda falls victim to ransoware - Worm tech approach suggested.

Security researchers have warned over a fake ransomware decryptor that instead of recovering files for ransomware victims, the malware further encrypts the locked-up data.

The ransomware called Zorab was discovered by MalwareHunterTeam. When a victim enters the details in the fake decryptor and clicks on “Start Scan” the malware extracts an executable called crab.exe and saves it to the %Temp% folder. This the infects the system with the Zorab ransomware.

This malware then creates a ransom note called ‘--DECRYPT--ZORAB.txt.ZRB' in each folder that a file is encrypted. According to a report by Bleeping Computer, the note details how to make contact with the ransomware operators for payment instructions. 

At present, analysts are still analysing the ransomware to figure out any flaws that will allow decryption.

Paul Bischoff, Privacy Advocate at Comparitech.com, told SC Media UK that most of the victims of the fake decryptor are individual users and not enterprises, so there's relatively little news about it despite it being so common.

“Unlike businesses, individual users are less likely to pay hundreds of dollars for a legitimate decryptor, so they attempt to pirate a cracked version. A "crack" is a copy of software that has been modified to remove copy protection that would otherwise ensure the user has paid for it. The cracked version lures ransomware victims in and contains the fake decryptor ransomware, which further encrypts files a second time. Victims are now left with the choice to lose their files, pay two ransoms to cybercriminals, or pay hundreds of dollars for legitimate decryptor software,” he said.

News of the Zorab ransomware comes as car company Honda earlier this week became the victim of the Ekans ransomware. This has targeted industrial control systems and demanded payment. Honda said the matter was under investigation.

"This is currently under investigation, to understand the cause. At this point, there is no effect on either Japanese production or dealer activities, and no customer impact. In Europe, we are investigating to understand the nature of any impact. We can confirm some impact in Europe and are currently investigating the exact nature," said a Honda spokesman.

Neil Stobart, VP Engineerin at, Cloudian, told SC Media UK that conventional approaches to ransomware threats tend to be minimally effective.

“Employee training can never completely remove the potential for human error, while software designed to stop malware rapidly becomes obsolete as threats and their identifying signatures evolve. Organisations often encrypt data as a safeguard against   ransomware.  However, while encryption can be useful where cybercriminals just want to access and share the data itself, in the case of ransomware, they can simply re-encrypt the data to prevent access by its rightful owner,” he said.

Stobart suggested that using WORM (write once, read many) storage technology would allow organisations to make immutable “locked” copies of their data, providing a viable means of ransomware prevention.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews