Aurora ransomware

Aurora ransomware – still active ransomware that came back in 2020 with .crypton file extension

Aurora ransomware image
Aurora is a ransomware which is designed to encrypt data with RSA-2048 algorithm.

Aurora is a ransomware[1] which is using RSA-2048 algorithm to encrypt essential data. This virus returned in 2020 with a new extension algorithm – .crypton. Unfortunately, the malware has already made a profit from victims by payments for decrypting encrypted data. The encoded information is marked with .animus, .Aurora, .desu, .ONI and .crypton file extension at the end of the file names. Since there are multiple versions of this file-encrypting virus each one of them delivers a different ransom note. The latest variant drops !-GET_MY_FILES-!.txt file, other ones add #RECOVERY-PC#.txt, and @[email protected] on the system. Ransom note contains instructions on how to pay the ransom. It will also contain an email address which is currently called [email protected] and urging to contact the criminals via this email address. Victims are demanded to pay at least $50 for the decryption tool. However, the recent version is demanding $500. Previously, the ransomware was noticed using AZORult virus to increase its distribution rate.

Overview of the cyber threat
Name Aurora
Type Ransomware/cryptovirus/file-encrypting virus
Cryptography RSA-2048 encryption algorithm
Appended extension .animus, .Aurora, .desu, .ONI. The newest is .crypton
Ransom notes
Contact email addresses
Size of the ransom $50; $100; $200; The latest variant is asking $500
Distribution Malicious email attachments, malvertising, fake downloads/updates

To remove Aurora ransomware, install reputable anti-spyware. To get rid of virus damage, use Reimage Reimage Cleaner . Note that it doesn’t decrypt encrypted files. For that, use the updated Emsisoft decryptor.

Aurora ransomware is targeting English-speaking users. This means that the virus spreads around the world quickly via malicious spam emails or other popular distribution strategies. Typically, the executable of the virus is dropped when a user opens an obfuscated attachment in the letter. Immediately, it starts data encryption procedure and leaves the following ransom notes depending on the version of the crypto-malware:

The primary goal of the authors of Aurora ransomware virus is to threaten users and make them pay the ransom in exchange for the decryption software. Criminals claim that users should not use other tools as they might permanently damage the data. However, experts say that there are no guarantees that the attackers themselves have the virus decryptor and are willing to send it after the payment.

Aurora ransomware illustration

Furthermore, hackers specify not to contact any data recovery companies as they will inform the criminals and increase the price of Aurora decryptor. Although, we can assure you that such claims are merely a trick to intimidate desperate computer users as none of the reputable firms would engage in this illegal activity. 

Here is one of the ransom notes used by Aurora virus:

We STRONGLY RECOMMEND you NOT to use any “decryption tools”. 
These tools can damage your data, making recover IMPOSSIBLE. 
Also, we recommend you not to contact data recovery companies. 
They will contact us, buy the key and sell it to you at a higher price. 
If you want to decrypt your files, you have to get RSA private key. 

=== # aurora ransomware # ===
Aurora ransomware

SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
[email protected]
And pay 500 $ on 3CwxawqJpM4RBNididvHf8LhFA2VfLsRjM wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
=== # aurora ransomware # ===

However, it’s unknown if authors of the .Aurora file extension virus are capable of providing a decryption service. Hence, you might lose the money. Also, they can blackmail you after the payment and ask for more money; otherwise, they might leak or delete encrypted files.

Researchers from[2] also note that many victims are left alone after hackers receive the money. For these reasons, you should not deal with cybercriminals. Focus on the most important part after the attack — Aurora ransomware removal.

Aurora ransomware virus picture
Aurora is crypto-malware which claims that none of the data recovery firms can help victims get back the access to their documents.

This task has to be completed with reputable anti-malware software. Crypto-viruses are complicated and hazardous cyber threats, so they cannot be appropriately eliminated without the damage. If you need a professional tool to remove Aurora ransomware virus from the computer, choose reputable anti-virus and then run Reimage Reimage Cleaner to fix damaged files and similar components of your computer system. To decrypt encrypted files, use backups or try the most known ransomware decrypters, e.g. Emsisoft Decryptor for Aurora.

Previous evolution of Aurora virus

The initial version of Aurora/OneKeyLocker Ransomware used HOW_TO_DECRYPT_YOUR_FILES.txt ransom note and demanded their victims to pay around $500 for the decryption tool. Criminals indicated [email protected] email address for contact purposes. 

However, on the 1st of June 2018 cybersecurity researchers have discovered a new variant of Aurora virus which now uses C2 servers (a.k.a. Command-and-Control C&C). In other terms, the ransomware can is controlled remotely by the criminals. Thus, this version is exceptionally dangerous as it might be set to install more malicious programs on your system.

Aurora ransomware variant
Aurora ransomware has multiple versions and one of them uses C2 server.

Soon after attackers upgraded the name of the ransom note to #RECOVERY-PC#.txt and changed the email address — [email protected]. The ransom-demanding messaged indicated that victims now must pay $200 for the decryption software. 

It was evident that criminals won’t stop updating Aurora ransomware. So, later experts found the new ransom note, called !-GET_MY_FILES-!.txt. According to the victims, attackers demanded to pay $50 and asked to write them via [email protected] email address. 

Even though the amount of the ransom kept decreasing, we strongly advise you not to contact the hackers. Files encrypted by Aurora virus can be recovered with professional tools. Thus, you don’t need to finance criminals’ malicious activity by making the transactions. Check the data recovery instructions at the end of this article.

  Zorro/Aurora ransomware
Aurora ransomware developers have made over 12 000$ already from ransom payments.

November 22nd came with more news about the Aurora variants. Previously, various security experts have discovered decryption methods for this virus and the latest version is also still decryptable. However, people still are paying and according to the wallet address, this virus uses since the start of attacks cybercriminals made over 12 000$, based on the Bitcoin price at the time of writing.

This version is also called Zorro ransomware and actively distributes all over the world but analyzed script shows that anyone located in Russia is not in the target. The ransomware will connect to a Command and Control server to receive data and encryption key, the minute it is installed on the device. It will then connect to see what country the victim is from based on their IP address.

Currently, the encoded files get .aurora marker still and receive the ransom note on a desktop wallpaper in %UserProfile%wall.i that is a jpg file. Ransom messages also come in !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @[email protected] text files.

If you got affected by Aurora/Zorro ransomware contact the researchers[3] for the decryption key. 

Innocent-looking emails might carry ransomware inside

Spam emails[4] are the primary ransomware distribution tactic which has been used for ages now. Unfortunately, users still lack IT knowledge and keep opening malicious letters which help infiltrate the system with a file-encrypting virus.

Often these infected files have malicious macro commands and users are frequently asked to enable them as soon as they open the MS Office document. This trick is usually successful because people do not think that regular Word file can be malicious.

However, there are a couple of other methods that can be used for spreading file-encrypting malware, for instance:

  • malicious ads;
  • fake software update alerts;
  • trojans;
  • exploit kits;
  • insecure RDPs.

Nowadays it’s vital to follow cyber security tips in order to avoid getting your files locked. Hence, watch your clicks and downloads, and make sure that your computer and programs are up-to-date.

Deleting Aurora virus is essential for your PC’s security

Since this file-encrypting virus is able to connect to the C2 server, criminals might install more malicious programs remotely. Likewise, quick Aurora ransomware removal is essential to protect your computer from further infections.

Of course, virus elimination does not bring back your files. Security programs needed for the removal are not designed to decrypt data. Other tools are required to complete this task. However, we want to stress out that a specific decryptor is not released yet.

Once you remove Aurora ransomware with Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner, Malwarebytes or your preferred anti-malware tool, you can restore your data from backups or try to retrieve some data using additional methods. If you have problems with the elimination or want to try our suggested recovery options, check the instructions below. 

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Aurora using Safe Mode with Networking

In some cases, ransomware blocks security software in order to remain on the system. However, this guide will help to avoid this problem:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Aurora removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Aurora using System Restore

To get rid of Aurora ransomware with System Restore, use these steps:

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Aurora from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Aurora, you can use several methods to restore them:

Try Data Recovery Pro

This tool is created to recover files that are deleted or corrupted. However, it might be helpful after the ransomware attack too:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Aurora ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

Victims, who had System Restore enabled before Aurora ransomware attack, can try to copy individual files by following this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

It’s unknown if malware deletes Shadow Volume Copies or not. If they are left on the system, get this tool and recover your data:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The decryptor for Aurora ransomware has already been updated. Try it

If got attacked by Aurora ransomware (newest version), use Emsisoft decryptor to recover after attack.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Aurora and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-01-13 at 04:43 and is filed under Ransomware, Viruses.