APT / THREAT GROUP

DORRA

1
aliases

Intelligence Profile

A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family.

This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer's email address.

After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data.

Interestingly, this variant uses a simple email address hosted on Microsoft's Outlook service as the contact method.

Threat Analysis

DORRA is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Quick Facts

TypeAPT / Threat Group
Aliases1

Also Known As

DORRA

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
DORRA — APT / Threat Group | Threat Intelligence | CTIWATCH.COM