Aurora ransomware – still active ransomware that came back in 2020 with .crypton file extension

Aurora is a ransomware[1] which is using RSA-2048 algorithm to encrypt essential data. This virus returned in 2020 with a new extension algorithm – .crypton. Unfortunately, the malware has already made a profit from victims by payments for decrypting encrypted data. The encoded information is marked with .animus, .Aurora, .desu, .ONI and .crypton file extension at the end of the file names. Since there are multiple versions of this file-encrypting virus each one of them delivers a different ransom note. The latest variant drops !-GET_MY_FILES-!.txt file, other ones add #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt on the system. Ransom note contains instructions on how to pay the ransom. It will also contain an email address which is currently called oktropys@protonmail.com and urging to contact the criminals via this email address. Victims are demanded to pay at least $50 for the decryption tool. However, the recent version is demanding $500. Previously, the ransomware was noticed using AZORult virus to increase its distribution rate.
| Overview of the cyber threat | |
|---|---|
| Name | Aurora |
| Type | Ransomware/cryptovirus/file-encrypting virus |
| Cryptography | RSA-2048 encryption algorithm |
| Appended extension | .animus, .Aurora, .desu, .ONI. The newest is .crypton |
| Ransom notes |
|
| Contact email addresses |
|
| Size of the ransom | $50; $100; $200; The latest variant is asking $500 |
| Distribution | Malicious email attachments, malvertising, fake downloads/updates |
|
To remove Aurora ransomware, install reputable anti-spyware. To get rid of virus damage, use FortectIntego. Note that it doesn't decrypt encrypted files. For that, use the updated Emsisoft decryptor. |
|
Aurora ransomware is targeting English-speaking users. This means that the virus spreads around the world quickly via malicious spam emails or other popular distribution strategies. Typically, the executable of the virus is dropped when a user opens an obfuscated attachment in the letter. Immediately, it starts data encryption procedure and leaves the following ransom notes depending on the version of the crypto-malware:
- HOW_TO_DECRYPT_YOUR_FILES.txt
- HOW_TO_DECRYPT_YOUR_FILES2.txt
- HOW_TO_DECRYPT_YOUR_FILES3.txt
- HOW_TO_DECRYPT_YOUR_FILES4.txt
- HOW_TO_DECRYPT_YOUR_FILES5.txt
- HOW_TO_DECRYPT_YOUR_FILES6.txt
- !-GET_MY_FILES-!.txt
- #RECOVERY-PC#.txt
- @_RESTORE-FILES_@.txt
- @_FILES_WERE_ENCRYPTED_@.txt
- @_HOW_TO_PAY_THE_RANSOM_@.txt
- @_HOW_TO_DECRYPT_FILES_@.txt
The primary goal of the authors of Aurora ransomware virus is to threaten users and make them pay the ransom in exchange for the decryption software. Criminals claim that users should not use other tools as they might permanently damage the data. However, experts say that there are no guarantees that the attackers themselves have the virus decryptor and are willing to send it after the payment.

Furthermore, hackers specify not to contact any data recovery companies as they will inform the criminals and increase the price of Aurora decryptor. Although, we can assure you that such claims are merely a trick to intimidate desperate computer users as none of the reputable firms would engage in this illegal activity.
Here is one of the ransom notes used by Aurora virus:
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also, we recommend you not to contact data recovery companies.
They will contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
=== # aurora ransomware # ===
Aurora ransomware
—
SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
anonimus.mr@yahoo.com
And pay 500 $ on 3CwxawqJpM4RBNididvHf8LhFA2VfLsRjM wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
=== # aurora ransomware # ===
However, it’s unknown if authors of the .Aurora file extension virus are capable of providing a decryption service. Hence, you might lose the money. Also, they can blackmail you after the payment and ask for more money; otherwise, they might leak or delete encrypted files.
Researchers from NoVirus.uk[2] also note that many victims are left alone after hackers receive the money. For these reasons, you should not deal with cybercriminals. Focus on the most important part after the attack — Aurora ransomware removal.

This task has to be completed with reputable anti-malware software. Crypto-viruses are complicated and hazardous cyber threats, so they cannot be appropriately eliminated without the damage. If you need a professional tool to remove Aurora ransomware virus from the computer, choose reputable anti-virus and then run FortectIntego to fix damaged files and similar components of your computer system. To decrypt encrypted files, use backups or try the most known ransomware decrypters, e.g. Emsisoft Decryptor for Aurora.
Previous evolution of Aurora virus
The initial version of Aurora/OneKeyLocker Ransomware used HOW_TO_DECRYPT_YOUR_FILES.txt ransom note and demanded their victims to pay around $500 for the decryption tool. Criminals indicated anonimus.mr@yahoo.com email address for contact purposes.
However, on the 1st of June 2018 cybersecurity researchers have discovered a new variant of Aurora virus which now uses C2 servers (a.k.a. Command-and-Control C&C). In other terms, the ransomware can is controlled remotely by the criminals. Thus, this version is exceptionally dangerous as it might be set to install more malicious programs on your system.

Soon after attackers upgraded the name of the ransom note to #RECOVERY-PC#.txt and changed the email address — big.fish@vfemail.net. The ransom-demanding messaged indicated that victims now must pay $200 for the decryption software.
It was evident that criminals won't stop updating Aurora ransomware. So, later experts found the new ransom note, called !-GET_MY_FILES-!.txt. According to the victims, attackers demanded to pay $50 and asked to write them via oktropys@protonmail.com email address.
Even though the amount of the ransom kept decreasing, we strongly advise you not to contact the hackers. Files encrypted by Aurora virus can be recovered with professional tools. Thus, you don't need to finance criminals' malicious activity by making the transactions. Check the data recovery instructions at the end of this article.

November 22nd came with more news about the Aurora variants. Previously, various security experts have discovered decryption methods for this virus and the latest version is also still decryptable. However, people still are paying and according to the wallet address, this virus uses since the start of attacks cybercriminals made over 12 000$, based on the Bitcoin price at the time of writing.
This version is also called Zorro ransomware and actively distributes all over the world but analyzed script shows that anyone located in Russia is not in the target. The ransomware will connect to a Command and Control server to receive data and encryption key, the minute it is installed on the device. It will then connect to http://www.geoplugin.net/php.gp see what country the victim is from based on their IP address.
Currently, the encoded files get .aurora marker still and receive the ransom note on a desktop wallpaper in %UserProfile%wall.i that is a jpg file. Ransom messages also come in !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt text files.
If you got affected by Aurora/Zorro ransomware contact the researchers[3] for the decryption key.
Innocent-looking emails might carry ransomware inside
Spam emails[4] are the primary ransomware distribution tactic which has been used for ages now. Unfortunately, users still lack IT knowledge and keep opening malicious letters which help infiltrate the system with a file-encrypting virus.
Often these infected files have malicious macro commands and users are frequently asked to enable them as soon as they open the MS Office document. This trick is usually successful because people do not think that regular Word file can be malicious.
However, there are a couple of other methods that can be used for spreading file-encrypting malware, for instance:
- malicious ads;
- fake software update alerts;
- trojans;
- exploit kits;
- insecure RDPs.
Nowadays it’s vital to follow cyber security tips in order to avoid getting your files locked. Hence, watch your clicks and downloads, and make sure that your computer and programs are up-to-date.
Deleting Aurora virus is essential for your PC's security
Since this file-encrypting virus is able to connect to the C2 server, criminals might install more malicious programs remotely. Likewise, quick Aurora ransomware removal is essential to protect your computer from further infections.
Of course, virus elimination does not bring back your files. Security programs needed for the removal are not designed to decrypt data. Other tools are required to complete this task. However, we want to stress out that a specific decryptor is not released yet.
Once you remove Aurora ransomware with FortectIntego, SpyHunterCombo Cleaner, MalwarebytesMalwarebytes or your preferred anti-malware tool, you can restore your data from backups or try to retrieve some data using additional methods. If you have problems with the elimination or want to try our suggested recovery options, check the instructions below.
Was this guide helpful?
Be the first to comment