Watch out for the counterfeit Nypd file virus decryptor

Experts warn the online community about a novel Zobar ransomware that is promoted as a free STOP/Djvu ransomware decryption software

STOP/Djvu is one of the most proliferate file-encoding viruses out there for the past years and it seems that no one can stop it from the worldwide expansion. Although Emsisoft^[1] along with a group of other cybersecurity experts developed a decryption tool back in 2019, it turned out to be functional with the variants released before August 2019 only. 

Up till now, Djvu victims were helpless in retrieving their files unless they have backup copies or pay criminals the demanded ransom fee. But, in early June 2020, unspecified parties started distributed a supposed free Djvu decryption software that unlocks the latest variants using unique online IDs. 

No matter how sad it is, this Djvu decryption software is counterfeit. Criminals may be seducing victims to download the tool to decrypt Nypd ransomware, which is the latest Djvu ransomware variant. Nevertheless, victims of the dangerous Zwer, Nlah, Zipe, Kkll, Pezi, and others can also be tempted to download the so-called free “Decrypter DJVU.”^[2] 

This software is under investigation right now, though it has already been found that clicking on it downloads a malicious executable crab.exe, which enables the ransomware, and activate the encryption engine of a newly releases Zorab ransomware virus. Thus, the .nypd files get twice encrypted instead of being unlocked. 

Instead of file recovery, free Nypd decryptor encrypts encrypted files with a new extension 

The rogue Djvu decryptor that is supposed to unlock the latest Nypd ransomware is being actively analyzed by cybersecurity experts. If downloaded, this piece of software looks like a reliable for decryption, which features a user-friendly interface and easy-to-use environment. In fact, it shows up as a simple pop-up box, which asks to enter the personal ID number and indicate the type of extension appended to locked files (e.g. .nypd, .zipe, or .kkll). 

Unfortunately, if the required details are submitted believing that this tool will help to avoid paying the ransom, the victim gets even more confused because all Djvu encrypted files get re-encrypted by a new ransomware strain dubbed as Zorab. That's a new file-encrypting virus, which launched by crab.exe file launches a powerful encryption tool that is capable of attacking Djvu hosted files on the infected machine. 

Consequently, instead of .nypd virus files or similar alterations, all personal documents, pictures, photos, etc. get a new .ZRB file extension and the ransom note called '–DECRYPT–ZORAB.txt.ZRB, which says: 

 + – = ZORAB = – + –
Attention! Attention! Attention!
Your documents, photos, databases and other important files are encrypted and have the extension: .ZRB
Don't worry, you can return all your files!
The only method of recovering files is to purchase decrypt tool and unique key for you.

Experts claim that the Zorab ransomware virus is geologically bound to the Jigsaw family of viruses, though the proof hasn't yet been provided. Nevertheless, it's a fact that it will not supplement the list of Djvu versions. 

Without any doubt, the Zorab ransomware is run by sophisticated hackers who are perfect specialists in social engineering techniques. Counterfeiting a free Djvu decryptor is trickery that is expected to mislead thousands of users. Ransomware victims tend to fall for panic and forget other online risks and tend to do anything that promises to encrypt .nypd files. 

Those who have fallen victims for this rogue Zorab virus should not pay the ransom. According to experts, the virus may have flaws allowing to generate a free decryptor although that's not very likely. 

Rely on official STOP Djvu decryptors from trusted sources like Emsisoft

Djvu is a headache for the online community since 2017. At the moment of writing, the group contains 230 versions on the list, which managed to attack over 120,000 home users^[3]. However, this number refers to the proved victims only who have uploaded the samples to the dedicated ransomware sites, thus the number is expected to at least three times higher than the official stats show. 

STOPdecryptor is a tool that has been represented in 2019 by Emsisoft's team and was initially considered as the end of the Djvu's prevalence. Nevertheless, in August the same year criminals launched the upgraded Djvu version, which turned out to be decryptable by the STOPdecryptor as the latter can crack versions based on offline IDs. Therefore, all new versions of this virus starting from September cannot be unlocked as they use unique online IDs. 

People who have been attacked by Djvu ransomware should check their IDs. Those who have the ID number 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 can download the Emsisoft's decryptor and successfully retrieve their data. Nevertheless, make sure to remove the virus in the first place. 

Djvu virus and its versions like Nypd ransomware are known for demanding a stable ransom payment, i.e. $490 or $980. The site of the redemption is set on the time bases – the sooner the victim responds, the smaller ransom it's going to pay. Anyway, it's not advisable to pay the money for criminals. Cybersecurity experts are working to launch a fully functional Djvu decryptor, so it's best to backup locked files and inform experts that you are eagerly awaiting a free data unlock utility.