A fake decryptor tool has reportedly been duping ransomware victims and leading them into deeper trouble. Once the victims install the tool to decrypt their files, it encrypts them even further. The tool poses as a decryptor for STOP Djvu, one of the most prevalent ransomware in the world. Known as Zorab, it was discovered by cyber security expert Michael Gillespie. Once a user starts to scan their files hoping to decrypt them, Zorab extracts an executable file, crab.exe, and saves it. When it executes, the malware encrypts the user’s data, appending the .ZRB extension to the files’ names. Zorab also creates ransom notes with instruction on what to do to recover the files, Bleeping Computer reports. Part of the note states, “The only method of recovering files is to purchase a decrypt tool and a unique key. This tool will decrypt all your encrypted files.” It then warns the users against attempting to use any other decryption method. The users can send two files for free decryption as a show of good faith. It also provides the email to which they should write and ask for further direction. According to the report, STOP Djvu is by far the most popular ransomware in the world. It infects more computers than DoppelPaymer, Maze, Netwalker and most major ransomware operators combined. On ID Ransomware, a tool developed by Gillespie that identifies ransomware, it gets over 600 related submissions per day. STOP Djvu has, however, not received much attention. This is mainly because unlike its peers who target large corporations, it targets the common users. It also refrains from targeting American users, instead focusing on Europe and Asia. Its ransom demand averages $500. As CoinGeek reported, ransomware attacks have continued despite the pandemic. Last month, Nefilim ransomware attacked Australian shipping giant Toll Group, leading to the shutdown of some of its essential services. It also attacked MAS Holdings, a Sri Lankan company that manufactures lingerie for singer Beyoncé and Victoria’s Secret.