First detected in the summer of 2018, this ransomware was initially branded as Aurora but has been referred to as Zorro in recent attacks. Although the distribution method is currently unknown, it is suspected that attackers are infecting victims via hacked Remote Desktop Protocol (RDP) services. The ransomware variant appends .aurora to the names of encrypted files and creates ransom notes named !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt. Previous versions of Aurora/Zorro appended .animus, .desu, or .ONI to encrypted files. The ransom note provides an email address of oktropys[@]protonmail[.]com, along with instructions and a payment demand of approximately 600 dollars in bitcoin. Additionally, the desktop wallpaper of an infected machine is replaced with an image, %UserProfile%wall.i, which contains instructions on how to open the ransom notes.

  • Bleeping Computer provides additional information on Aurora/Zorro here.

  • The NJCCIC is aware of a free decryption tool developed by Michael Gillespie and Francesco Muroni. Infected victims may comment on this Bleeping Computer article or on the Aurora Help & Support page for assistance.

  • UPDATE 1/4/2019: Another decryptor from Michael Gillespie is available for certain Aurora variants. Bleeping Computer provides instructions on how to decrypt files.

Image Source: Bleeping Computer