Imagine a situation where criminals steal access to your property. They offer you a seemingly valid solution in the way of a tool that will give you your access back. But you use that solution and yet you still do not have access? Welcome to the nightmarish world of STOP/DJVU — a ransomware that offers you a fake decrypting solution that is simply a furtherance of their cyberattack. 

This article will detail the Fake STOP/DJVU decryptor malware and will explore what it is, how it works and how it can be prevented from infecting your system.

What is STOP/DJVU?

STOP/DJVU, sometimes known as Zorab, is a malware that is generally ignored by the malware research community. This seems ludicrous at first, as STOP/DJVU impacts more users than the other top malwares combined and has been the most widely distributed ransomware over the last year. In fact, STOP/DJVU accounts for 60-70% of all ransomware submissions per day coming from “the wild”.

Operators of STOP/DJVU target desperate home users that cannot afford the $500+ ransom payment to decrypt their encrypted files. Therein lies the pleasure point for attackers and pain point for impacted users — the attackers know home users probably do not have enough disposable income to purchase a legitimate decryptor tool, and the user thinks they have found a good deal online. (Sadly, they have not.)

The idea behind the STOP/DJVU fake decryptor is for users to become infected by the ransomware and then seek a decryptor tool online. It should be noted that the STOP/DJVU fake decryptor is advertised as being able to decrypt STOP/DJVU for free. If the user is actually duped into downloading and installing the STOP/DJVU decryptor malware, their files will be “double encrypted” or encrypted a second time. Restoring those files will be nearly impossible at that point.

How does STOP/DJVU work?

The name of the game for STOP/DJVU is abusing the trust of a desperate user. Attackers know that many home users probably cannot afford to pay for decryption, so they prey upon their higher likelihood of attempting to decrypt the data with their seemingly helpful and free decryptor tool offered by the operators of STOP. 

STOP/DJVU first establishes a foothold onto a system through adware bundles posing as software cracks. It is never a good idea to download and install software cracks found on random websites, yet many do because they are convenient and free to download. After the initial ransomware has encrypted the user’s files, they will find that the decryptor tools, such as those by Emisoft, do not work with the later versions of STOP/DJVU. What is left is the free “decryptor” offered by STOP/DJVU operators, which will only make things worse.

Once the decryptor tool is downloaded, the user enters their information into the tool to use it and clicks “Start Scan.” This creates a file called crab.exe, which is saved to the system’s %Temp% folder. Crab.exe then begins to encrypt data on the compromised system and appends these files with a .ZRB extension. A ransom note is then added to every folder that contains an encrypted file.

How to prevent STOP/DJVU

STOP/DJVU is an example of a ransomware that affects those that have less than strong cybersecurity awareness. The infection begins when the user downloads a software-cracking adware bundle from the internet. This demonstrates weak cybersecurity practices because you have no idea what exactly you are downloading from shady websites, even if your antivirus solution scans the file.

The second ransomware infection comes when the user downloads the fake decryptor malware and “scans” their system with it. Avoiding downloading executables such as software crackers online would have prevented this infection and unfortunately may serve as an expensive learning experience. For those who are home users and are looking for tips to beef up their cybersecurity awareness, Infosec Resources has an article you may find valuable available here.

Lastly, it is not a good idea to cooperate with ransomware operators and accept a tool they offer for decryption. Nearly every ransomware out there offers some sort of remedial tool, such as a decryptor (generally for a fee). Those users have no guarantee that they will get access to their files back, and it should be no surprise that the “decryptor” offered is actually more ransomware.


STOP/DJVU is a ransomware that targets home users and is responsible for more ransomware infections than all of the other commonly seen ransomware combined. What sets it apart is that STOP/DJVU lures users into downloading a fake decryptor file that double-encrypts the user’s files instead of decrypting them. The good thing is that prevention of this ransomware comes down to a moderate amount of cybersecurity awareness.



Encrypting the encrypted: Zorab Trojan in STOP decryptor, Kaspersky Daily

Fake ransomware decryptor double-encrypts desperate victims’ files, Bleeping Computer

Zorab Ransomware Doubles the Pain of ‘STOP Djvu’ Ransomware Victims, Cyware Social