A new variant of the Aurora ransomware, dubbed Zorro, is currently being distributed actively across the globe. Aurora first emerged in mid-2018 and has seen significant success over the past few months. Its new variant, Zorro, is being distributed via hacked remote desktop protocol (RDPs).
Zorro’s operators likely brute force RDP accounts’ passwords to gain access to targeted systems and install the ransomware. Zorro accepts Bitcoin payments as ransom payments. Bleeping Computer reported that the ransomware operators have been using the same Bitcoin address for all its victims, making it easier to track.
Since the end of September, Zorro has received 105 bitcoin transactions, raking in over $12,000. The ransomware also able to determine which country the victim is located in, based on their IP addresses. Researchers believe that the ransomware likely refrains from infecting users specifically located in Russia.
Zorro uses the .aurora extension to encrypt files. Previous variants of the ransomware used the .animus, .Aurora, .desu, and .ONI file extensions for encryption. Victims are asked to contact the ransowmare operators via an email address - firstname.lastname@example.org - after making ransom payments.
Fortunately security researchers Michael Gillespie and Francesco Muroni have repoprtedly figured out a way to decrypt the Zorro ransomware for free. Bleeping Computer suggested that those infected by the ransomware could visit the Aurora Help & Support site for help.