Encryption

A ransomware that has been distributed since the summer of 2018 has started to pick up steam in the latest variant. This new variant is currently being called Zorro Ransomware, but has also been called Aurora Ransomware in the past.

It is not currently known how this ransomware is distributed, but there are indications it may be installed by hacking into computers running Remote Desktop Services and that are exposed to the Internet. The attackers will brute force the password for RDP accounts in order to gain access to the computer and install the ransomware.

The good news is that Michael Gillespie and Francesco Muroni have discovered a way to decrypt this ransomware for free. If you are infected with this ransomware, please post a comment in this article or in the Aurora Help & Support topic for help.

Over $12,000 in payments made

As this ransomware utilizes the same bitcoin address for all of its victims, it makes it easy to track how many payments have been made.

The current Zorro Ransomware variant is using the bitcoin address 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac, which currently has 105 transactions since the end of September.

Bitcoin transactions since September 2018
Bitcoin transactions since September 2018

In total, this address has received 2.7 bitcoins, which equals over $12,000 at current bitcoin prices.

How the Aurora / Zorro Ransomware encrypts a computer

When installed, the ransomware will connect to a Command and Control server to receive data and to receive an encryption key to be used to encrypt the victim's files.

It will then connect to http://www.geoplugin.net/php.gp to determine what country the victim is residing in based on their IP address. Based on the string "Russia" found in the executable, it may not encrypt victims who are located in that country.

The ransomware will now proceed to scan a computer for targeted file types, and if a matching file is detected, will encrypt it. The currently targeted file extensions are:

1CD, doc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, 123, wks, wk1, pdf, dwg, onetoc2, snt, jpeg, jpg, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, rar, zip, backup, iso, vcd, bmp, png, gif, raw, cgm, tif, tiff, nef, psd, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, class, jar, java, asp, php, jsp, brd, sch, dch, dip, vbs, ps1, bat, cmd, asm, pas, cpp, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der, 

When encrypting a file it will currently append the .aurora extension to the encrypted file's name. For example, a file named test.jpg would be encrypted and renamed to test.jpg.aurora.  

Folder of encrypted .aurora files
Folder of encrypted .aurora files

Previous variants of this ransomware have also utilized the .animus, .Aurora, .desu, and .ONI file extensions for encrypted files.

While encrypting files, the ransomware will also create ransom notes in each folder that it traverses. These ransom notes are named !-GET_MY_FILES-!.txt#RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt and will contain instructions on how to pay the ransom. It will also contain an email address, which is currently oktropys@protonmail.com, that victim can use to contact the attacker after making payment.

Aurora / Zorro Ransomware Ransom Note
Aurora / Zorro Ransomware Ransom Note

Finally, the ransomware will create the %UserProfile%wall.i file, which is actually a jpg file, and set it as your desktop wallpaper. This image contains instructions on how to open the ransom notes.

Aurora / Zorro Ransomware wallpaper
Aurora / Zorro Ransomware wallpaper

As previously stated, this ransomware is decryptable. If you are infected, be sure to leave a comment here or in the Aurora Help & Support topic for help.

How to protect yourself from Aurora / Zorro Ransomware

In order to protect yourself from this ransomware, or from any variant, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

As this ransomware may be installed via hacked Remote Desktop services, it is very important to make sure RDP is locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

For more detailed information, please see our guide on locking down Remote Desktop Services.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed.
  • Use hard passwords and never reuse the same password at multiple sites.
  • If you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessibly only via a VPN.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack

Critical Veeam RCE bug now used in Frag ransomware attacks

Meet Interlock — The new ransomware targeting FreeBSD servers

IOCs

Hash:

SHA256: e8e995787549117aacb30b3d4896c058a8bfc8d0aab312b726d34e6ab85d819d

Associated Files:

!-GET_MY_FILES-!.txt
#RECOVERY-PC#.txt
@_RESTORE-FILES_@.txt
%UserProfile%wall.i

Associated email addresses:

anastacialove21@mail.com
anonimus.mr@yahoo.com
big.fish@vfemail.net
enco@cock.email
enco@cock.email
hellstaff@india.com
j0ra@protonmail.com
ochennado@tutanota.com
oktropys@protonmail.com
UnlockAlexKingman@protonmail.com

Known encrypted file extensions:

.animus
.Aurora
.desu
.ONI
.aurora

Zorro / Aurora Ransom Note:

==========================# zorro ransomware #==========================
SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you need to get the RSA-key from us.
--
To obtain an RSA-key, follow these steps in order:
1. pay this sum 500$  to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac
2. write on the e-mail ochennado@tutanota.com or anastacialove21@mail.com indicating in the letter this ID-[id] and BTC-purse, from which paid.
In the reply letter you will receive an RSA-key and instructions on what to do next.
We guarantee you the recovery of files, if you do it right.
==========================# zorro ransomware #==========================