Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Zorro Ransomware

Researchers have discovered a new ransomware dubbed Zorro ransomware. The ransomware also goes by the name of Aurora and has been distributed since this past summer. At the time of writing this article, it is uncertain how the ransomware is distributed, however there is reason to believe that it might be installed by compromising machines running Remote Desktop Services that are exposed to the internet. The attackers use the same bitcoin address for all of their victims and they have made 2.7 bitcoin ($12,000 USD) since the end of September. Once installed, Zorro will connect to a C&C server in order to receive data and an encryption key to encrypt the victim’s files. Following this, Zorro will connect to “” to figure out what country the victim lives in, based on the IP address. Next, Zorro scans the machine for files with one of the following extensions 1CD, doc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, 123, wks, wk1, pdf, dwg, onetoc2, snt, jpeg, jpg, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, rar, zip, backup, iso, vcd, bmp, png, gif, raw, cgm, tif, tiff, nef, psd, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, class, jar, java, asp, php, jsp, brd, sch, dch, dip, vbs, ps1, bat, cmd, asm, pas, cpp, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, and der. If the ransomware finds a file with one of these extensions, it will be encrypted with the .aurora extension. It will also generate ransom notes in the folder that it traverses. According to researchers, “These ransom notes are named !-GET_MY_FILES-!.txt#RECOVERY-PC#.txt, and @[email protected] and will contain instructions on how to pay the ransom. It will also contain an email address, which is currently [email protected]that victim can use to contact the attacker after making payment.” Lastly, Zorro creates a file called “ %UserProfile%wall.i,” which is a jpg file that is set as a desktop wallpaper containing instructions on how to open the ransom notes.

Analyst Notes

Users are advised to always practice good security and computing habits. With Zorro potentially being installed via RDP services, users should ensure that RDP is properly locked down and not exposed to the internet. Users should also make sure to back up their files in a separate location so an infection can’t spread to mapped network drives and encrypting backups as well.