Skip to content

Hide Navigation Hide TOC

DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)

A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family.

This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer's email address.

After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data.

Interestingly, this variant uses a simple email address hosted on Microsoft's Outlook service as the contact method.

Cluster A Galaxy A Cluster B Galaxy B Level
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Makop (f3d28719-fa72-42c3-b0fe-cda484abbaf9) Ransomware 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d) Ransomware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2