Security News > 2020 > June > Double-crossing ransomware decryptor scrambles your files again!
The sample we looked at claims to be a decryptor for the DJVU ransomware, which gets its name from the.
Exe file is unreconstructed ransomware: it goes through your files looking for matches against a long list of file extensions to encrypt, and scrambles them with a randomly-chosen encryption key.
You'll end up in a double-whammy situation, with any files that DJVU didn't yet attack scrambled once, and with any already-encrypted files now scrambled twice.
Exe scrambler didn't seem very well programmed - in our tests it failed to scramble some files for reasons that could easily be avoided, and in some directories it managed to scramble its own -DECRYPT-ZORAB.txt ransom note shortly after creating it.
Both the fake decryptor and the ransomware it contains are blocked by Sophos products as Troj/Ransom-FYU. Other names you may hare for this threat include Zorab and Zorba, an anagram of that.