Researchers have discovered a new ransomware dubbed Zorro ransomware. The ransomware also goes by the name of Aurora and has been distributed since this past summer. At the time of writing this article, it is uncertain how the ransomware is distributed, however there is reason to believe that it might be installed by compromising machines running Remote Desktop Services that are exposed to the internet. The attackers use the same bitcoin address for all of their victims and they have made 2.7 bitcoin ($12,000 USD) since the end of September. Once installed, Zorro will connect to a C&C server in order to receive data and an encryption key to encrypt the victim’s files. Following this, Zorro will connect to “http://www.geoplugin.net/php.gp” to figure out what country the victim lives in, based on the IP address. Next, Zorro scans the machine for files with one of the following extensions 1CD, doc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, 123, wks, wk1, pdf, dwg, onetoc2, snt, jpeg, jpg, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, rar, zip, backup, iso, vcd, bmp, png, gif, raw, cgm, tif, tiff, nef, psd, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, class, jar, java, asp, php, jsp, brd, sch, dch, dip, vbs, ps1, bat, cmd, asm, pas, cpp, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, and der. If the ransomware finds a file with one of these extensions, it will be encrypted with the .aurora extension. It will also generate ransom notes in the folder that it traverses. According to researchers, “These ransom notes are named !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt and will contain instructions on how to pay the ransom. It will also contain an email address, which is currently firstname.lastname@example.org, that victim can use to contact the attacker after making payment.” Lastly, Zorro creates a file called “ %UserProfile%wall.i,” which is a jpg file that is set as a desktop wallpaper containing instructions on how to open the ransom notes.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in