Threat Database Ransomware Zorgo Ransomware

Zorgo Ransomware

By GoldSparrow in Ransomware

Malware analysts have spotted a new file-locking Trojan dubbed the Zorgo Ransomware. Ransomware threats are a very popular malware type, as even less experienced cybercriminals can create and distribute them with the help of a ransomware building kit or other similar tools. Luckily, the Zorgo Ransomware is based on the HiddenTear project, which means that you are likely able to unlock all your files free of charge. Search online for the ‘HiddenTear decryptor’ and follow the guide to recover your data.

Propagation and Encryption

There is a wide array of distribution techniques that cybercriminals tend to utilize. Some creators of ransomware threats prefer to use spam emails as an infection vector. Using this technique, the attackers would send victims fraudulent emails that contain a misleading link or a corrupted attachment. The end goal is tricking the user into allowing the ransomware threat to their system. Other commonly used propagation methods are malvertising campaigns, torrent trackers, bogus software downloads and updates, etc. The Zorgo Ransomware is likely programmed to encrypt a long list of filetypes – images, audio files, presentations, spreadsheets, documents, videos, databases, archives, etc. Upon locking a new file, the Zorgo Ransomware appends a ‘.zorgo’ as an additional extension. For example, a file originally named ‘cheese-crackers.mp3’ will be renamed to ‘cheese-crackers.mp3.zorgo’ when the Zorgo Ransomware completes its encryption process.

The Ransom Note

The Zorgo Ransomware drops a ransom note named ‘READ_IT.txt’ on the compromised system. The ransom note is brief and does not offer many details regarding the attack. The attackers provide and email address where the user can contact them – ‘’ The authors of the Zorgo Ransomware demand to be paid via PayPal, which is a rookie mistake that only inexperienced cybercriminals would make. Every transaction processed via PayPal is easily traceable and may land cyber crooks in a lot of trouble. This is why experienced cybercriminals prefer to be paid via Bitcoin, instead of using conventional methods and services.

The text in the note reads as follows;

This computer has been hacked
Your personal files have been ecrypted. Send me PayPal money :
After that, you'll be able to see your beloved files again after messaged my Discord.
From : The one you scammed! :')

The ransom note mentions that the data on the device has been hacked and encrypted. Users must pay an unspecified amount of money to have their data restored. The victim must communicate with the people behind the Zorgo infection to learn more about how much they must pay. The note also tells the victim that they need to message the attacker through Discord after making the payment. The hackers say they will deliver the tools/software required for decryption through Discord. More often than not, it is impossible to remove a ransomware infection without intervention from the criminals behind the attack. The only time decryption is possible without intervention is if there is some flaw in the program that allows security researchers to create decryption tools.

Whether a public decryption tool is available or not, one should never interact with cyber criminals or pay them money. Ransomware victims often become scam victims as the hackers never deliver on their promise. The victim still can't recover their lost data and loses money on top of that. One should take steps to remove Zorgo from their computer as soon as possible to prevent further encryption. Please note this won't restore compromised files, however. The only way to safely restore lost files is from a backup created before the ransomware infection.

How Does Ransomware Get on Computers?

Ransomware has several potential infection vectors, just like any other kind of virus. The main techniques for spreading ransomware are spam campaigns, trojan viruses, and illegal activation tools. Other common methods are fake software updates and untrustworthy download pages and websites.

Spam campaigns involve sending thousands of scam emails to as many people as possible. The emails have an infectious file or link attached to them. Once someone interacts with the compromised attachment, their computer is infected. The malicious file could be a document, a PDF file, an archive, an executable file, or any other kind of file. The point is that they contain code that triggers an infection when the file is activated. Trojan viruses are a kind of malware used to trigger chain infections and download other malware, such as the Zorgo ransomware.

Software pirates use illegal activation tools – also known as "cracks" – to activate pirated software. These tools also download and install malicious programs and viruses. A fake software update works on a similar principle. Sometimes they exploit the flaws in an application and sometimes they just install a virus rather than the update they should.

It's possible for a person to unwittingly download malicious content through untrustworthy download resources like peer-to-peer networks, third-party websites, and unofficial free file-hosting websites.

How to Protect Against Ransomware

The first step to avoiding ransomware infection is to be more vigilant with emails. Don't open unsolicited and dubious emails, especially ones that have links and attachments. You should also avoid using illicit and unofficial download resources. Make sure to activate and update products using official tools from the developers. Third-party updates and illegal activation tools (known as cracking tools) are often used to spread malware.

Keep your device secure by installing and using antivirus software. This software often catches a virus before it can become an issue, and will help to remove viruses that make it through the cracks.


Most Viewed