First detected in the summer of 2018, this ransomware was initially branded as Aurora but has been referred to as Zorro in recent attacks. Although the distribution method is currently unknown, it is suspected that attackers are infecting victims via hacked Remote Desktop Protocol (RDP) services. The ransomware variant appends .aurora to the names of encrypted files and creates ransom notes named !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt. Previous versions of Aurora/Zorro appended .animus, .desu, or .ONI to encrypted files. The ransom note provides an email address of oktropys[@]protonmail[.]com, along with instructions and a payment demand of approximately 600 dollars in bitcoin. Additionally, the desktop wallpaper of an infected machine is replaced with an image, %UserProfile%wall.i, which contains instructions on how to open the ransom notes.
Image Source: Bleeping Computer