DORRADORRA

A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family. This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer's email address. After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data. Interestingly, this variant uses a simple email address hosted on Microsoft's Outlook service as the contact method.