DORRA

Also known as: DORRA

A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family.

This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer’s email address.

After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data.

Interestingly, this variant uses a simple email address hosted on Microsoft’s Outlook service as the contact method.

Introduction

A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family. This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer’s email address. After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data. Interestingly, this variant uses a simple email address hosted on Microsoft’s Outlook service as the contact method.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.