A ransomware known as Aurora received some notice in the late summer of 2018. Since then it appears that the malware was improved upon and is now making the rounds under the name of Zorro ransomware. According to Bleeping Computer, the Zorro ransomware is proving to be a relatively effective form of payment for cybercriminals. As of the writing of this article, Zorro ransomware has extorted payments of roughly $12,000 in bitcoin currency, with the total sum being comprised of a little over 100 ransom payments from infected users.
Zorro ransomware has no confirmed distribution method, however, there are published email addresses affiliated with the attacks, which leads one to suspect email as the main attack vector. As Lawrence Abrams noted in his Bleeping Computer article, Zorro ransomware is installed via “hacking into computers running Remote Desktop Services… that are exposed to the Internet…the attackers will brute force the password for RDP accounts in order to gain access to the computer and install the ransomware.”
Upon infection, the victim is met with the following message:
==========================# zorro ransomware #==========================
SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you need to get the RSA-key from us.
—
To obtain an RSA-key, follow these steps in order:
1. pay this sum 500$ to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac
2. write on the e-mail [email protected] or [email protected] indicating in the letter this ID-[id] and BTC-purse, from which paid.
In the reply letter you will receive an RSA-key and instructions on what to do next.
We guarantee you the recovery of files, if you do it right.
==========================# zorro ransomware #==========================
Thankfully, there is a fix to decrypt files that are under siege from the Zorro ransomware that is also free (it was discovered by researchers Michael Gillespie and Francesco Muroni). If you have been infected, go to this Aurora Help & Support topic link and comment in the forum post for assistance. The researchers and the folks over at Bleeping Computer have really outdone themselves with this and deserve a huge thanks from the InfoSec world for their efforts. While this will likely not be the last time we see the Aurora/Zorro ransomware variants, at least the issue has a solution for now.
Featured image: Flickr /Magnus
