DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)

A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family.

This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer's email address.

After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data.

Interestingly, this variant uses a simple email address hosted on Microsoft's Outlook service as the contact method.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Makop (f3d28719-fa72-42c3-b0fe-cda484abbaf9)	Ransomware	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e)	Attack Pattern	1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	DORRA (b7e9cd85-74f7-4600-850c-508dabcab92d)	Ransomware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2