Free Anti-Ransomware Tool is Actually a Scam

John Lister's picture

A security company has warned that a free tool claiming to remove ransomware is in fact ransomware itself. Sophos has also reported that businesses that pay ransoms end up with double the financial costs of those who don't.

The company's Paul Ducklin examined a tool called "Decrypter DJVU". It's promoted as a way to undo the damage of a strain of ransomware that encrypts files, adds the extension ".djvu" to the name, and demands a payment to decrypt and restore access. (Source:

The tool asks users to type in a personal ID and a file extension, though it appears it doesn't take any notice of what they input. Instead it pretends to start a file scan but actually just downloads a piece of malware and encrypts file, adding a new file extension called .ZRB.

Double Encryption Disaster

The user then gets a message informing them that they need to buy a decryption tool, then asks for an email address in order to get the paid tool. There's even a cheeky offer to decrypt two files free of charge.

By this point the user is in a real bind as many of their files will have gone through two different encryption processes. That makes it extremely difficult to decrypt them, even using legitimate tools and techniques.

Meanwhile, Sophos has also released a report on ransomware across the world in which it surveyed 5,000 IT staff from businesses across 26 countries. It asked about their experiences with ransomware attacks and the resulting costs. (Source:

Paying Up Not Cost Effective

It found that on average, if a company chose to pay the ransom it would spend a total of $1.4 million, including the payment to the scammers and the staff time and costs in using the supplied decryption key (if the scammers kept their promise) to unlock and verify files.

However, those who refused to pay spent an average of $750,000 dealing with the problem. That average covers a range of responses including paying computer experts to decrypt (or attempt to decrypt) files, restoring backups, and simply taking the hit and rebuilding files and data manually.

With both household and business victims of malware then, it seems the real key is to avoid being infected in the first place, as well as keeping offline backups. If ransomware does strike, there's no guarantee that paying the ransom or finding an alternative method to decrypt the files won't make things worse.

What's Your Opinion?

What would you do if you were hit by ransomware? Would you have the backups to recover from an attack? Would you trust free tools that claimed to help?

Rate this article: 
Average: 5 (6 votes)


ronangel1's picture

I would not pay a penny! I use Acronis True Image which I have done for years. Backups to three offline drives kept in fire safe for all computers. The program protects files on computer as well preventing any change to them without as with mac authorising each file that would not normally change but is transparent in everyday use. Can also add authorisation to any file manually. You would notice something wrong straight away in an attack giving time to switch off or take action. There is one annoying but good thing about program you cannot delete backup image files outside of program or even when program on computer but not running. You have to connect external backup drive to computer without acronis on it to delete file. Or reboot computer in safe mode to delete file. If your computer tried to restart in safe mode time to seek expert advice after switching off! Could not affect external USB drives which have a bootable restore version placed on them if required so you can restore image file directly to computer overwriting everything with last good backup.
I have no connection with this company apart from satisfied user!