Aurora ransomware (Removal Instructions) - updated Jan 2020

Aurora virus Removal Guide

What is Aurora ransomware?

Aurora ransomware – still active ransomware that came back in 2020 with .crypton file extension

Aurora ransomware imageAurora is a ransomware which is designed to encrypt data with RSA-2048 algorithm.

Aurora is a ransomware[1] which is using RSA-2048 algorithm to encrypt essential data. This virus returned in 2020 with a new extension algorithm – .crypton. Unfortunately, the malware has already made a profit from victims by payments for decrypting encrypted data. The encoded information is marked with .animus, .Aurora, .desu, .ONI and .crypton file extension at the end of the file names. Since there are multiple versions of this file-encrypting virus each one of them delivers a different ransom note. The latest variant drops !-GET_MY_FILES-!.txt file, other ones add #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt on the system. Ransom note contains instructions on how to pay the ransom. It will also contain an email address which is currently called and urging to contact the criminals via this email address. Victims are demanded to pay at least $50 for the decryption tool. However, the recent version is demanding $500. Previously, the ransomware was noticed using AZORult virus to increase its distribution rate.

Overview of the cyber threat
Name Aurora
Type Ransomware/cryptovirus/file-encrypting virus
Cryptography RSA-2048 encryption algorithm
Appended extension .animus, .Aurora, .desu, .ONI. The newest is .crypton
Ransom notes
    • !-GET_MY_FILES-!.txt
    • #RECOVERY-PC#.txt
    • @_RESTORE-FILES_@.txt
    • @_HOW_TO_PAY_THE_RANSOM_@.txt
    • @_HOW_TO_DECRYPT_FILES_@.txt
Contact email addresses
Size of the ransom $50; $100; $200; The latest variant is asking $500
Distribution Malicious email attachments, malvertising, fake downloads/updates

To remove Aurora ransomware, install reputable anti-spyware. To get rid of virus damage, use FortectIntego. Note that it doesn't decrypt encrypted files. For that, use the updated Emsisoft decryptor.

Aurora ransomware is targeting English-speaking users. This means that the virus spreads around the world quickly via malicious spam emails or other popular distribution strategies. Typically, the executable of the virus is dropped when a user opens an obfuscated attachment in the letter. Immediately, it starts data encryption procedure and leaves the following ransom notes depending on the version of the crypto-malware:

  • !-GET_MY_FILES-!.txt
  • #RECOVERY-PC#.txt
  • @_RESTORE-FILES_@.txt

The primary goal of the authors of Aurora ransomware virus is to threaten users and make them pay the ransom in exchange for the decryption software. Criminals claim that users should not use other tools as they might permanently damage the data. However, experts say that there are no guarantees that the attackers themselves have the virus decryptor and are willing to send it after the payment.

Aurora ransomware illustrationThe criminals behind Aurora virus can demand to pay up to $500 for the decryption software.

Furthermore, hackers specify not to contact any data recovery companies as they will inform the criminals and increase the price of Aurora decryptor. Although, we can assure you that such claims are merely a trick to intimidate desperate computer users as none of the reputable firms would engage in this illegal activity.

Here is one of the ransom notes used by Aurora virus:

We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also, we recommend you not to contact data recovery companies.
They will contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.

=== # aurora ransomware # ===
Aurora ransomware

SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
And pay 500 $ on 3CwxawqJpM4RBNididvHf8LhFA2VfLsRjM wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
=== # aurora ransomware # ===

However, it’s unknown if authors of the .Aurora file extension virus are capable of providing a decryption service. Hence, you might lose the money. Also, they can blackmail you after the payment and ask for more money; otherwise, they might leak or delete encrypted files.

Researchers from[2] also note that many victims are left alone after hackers receive the money. For these reasons, you should not deal with cybercriminals. Focus on the most important part after the attack — Aurora ransomware removal.

Aurora ransomware virus pictureAurora is crypto-malware which claims that none of the data recovery firms can help victims get back the access to their documents.

This task has to be completed with reputable anti-malware software. Crypto-viruses are complicated and hazardous cyber threats, so they cannot be appropriately eliminated without the damage. If you need a professional tool to remove Aurora ransomware virus from the computer, choose reputable anti-virus and then run FortectIntego to fix damaged files and similar components of your computer system. To decrypt encrypted files, use backups or try the most known ransomware decrypters, e.g. Emsisoft Decryptor for Aurora.

Previous evolution of Aurora virus

The initial version of Aurora/OneKeyLocker Ransomware used HOW_TO_DECRYPT_YOUR_FILES.txt ransom note and demanded their victims to pay around $500 for the decryption tool. Criminals indicated email address for contact purposes.

However, on the 1st of June 2018 cybersecurity researchers have discovered a new variant of Aurora virus which now uses C2 servers (a.k.a. Command-and-Control C&C). In other terms, the ransomware can is controlled remotely by the criminals. Thus, this version is exceptionally dangerous as it might be set to install more malicious programs on your system.

Aurora ransomware variantAurora ransomware has multiple versions and one of them uses C2 server.

Soon after attackers upgraded the name of the ransom note to #RECOVERY-PC#.txt and changed the email address — The ransom-demanding messaged indicated that victims now must pay $200 for the decryption software.

It was evident that criminals won't stop updating Aurora ransomware. So, later experts found the new ransom note, called !-GET_MY_FILES-!.txt. According to the victims, attackers demanded to pay $50 and asked to write them via email address.

Even though the amount of the ransom kept decreasing, we strongly advise you not to contact the hackers. Files encrypted by Aurora virus can be recovered with professional tools. Thus, you don't need to finance criminals' malicious activity by making the transactions. Check the data recovery instructions at the end of this article.

Zorro/Aurora ransomwareAurora ransomware developers have made over 12 000$ already from ransom payments.

November 22nd came with more news about the Aurora variants. Previously, various security experts have discovered decryption methods for this virus and the latest version is also still decryptable. However, people still are paying and according to the wallet address, this virus uses since the start of attacks cybercriminals made over 12 000$, based on the Bitcoin price at the time of writing.

This version is also called Zorro ransomware and actively distributes all over the world but analyzed script shows that anyone located in Russia is not in the target. The ransomware will connect to a Command and Control server to receive data and encryption key, the minute it is installed on the device. It will then connect to see what country the victim is from based on their IP address.

Currently, the encoded files get .aurora marker still and receive the ransom note on a desktop wallpaper in %UserProfile%wall.i that is a jpg file. Ransom messages also come in !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt text files.

If you got affected by Aurora/Zorro ransomware contact the researchers[3] for the decryption key.

Innocent-looking emails might carry ransomware inside

Spam emails[4] are the primary ransomware distribution tactic which has been used for ages now. Unfortunately, users still lack IT knowledge and keep opening malicious letters which help infiltrate the system with a file-encrypting virus.

Often these infected files have malicious macro commands and users are frequently asked to enable them as soon as they open the MS Office document. This trick is usually successful because people do not think that regular Word file can be malicious.

However, there are a couple of other methods that can be used for spreading file-encrypting malware, for instance:

  • malicious ads;
  • fake software update alerts;
  • trojans;
  • exploit kits;
  • insecure RDPs.

Nowadays it’s vital to follow cyber security tips in order to avoid getting your files locked. Hence, watch your clicks and downloads, and make sure that your computer and programs are up-to-date.

Deleting Aurora virus is essential for your PC's security

Since this file-encrypting virus is able to connect to the C2 server, criminals might install more malicious programs remotely. Likewise, quick Aurora ransomware removal is essential to protect your computer from further infections.

Of course, virus elimination does not bring back your files. Security programs needed for the removal are not designed to decrypt data. Other tools are required to complete this task. However, we want to stress out that a specific decryptor is not released yet.

Once you remove Aurora ransomware with FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes or your preferred anti-malware tool, you can restore your data from backups or try to retrieve some data using additional methods. If you have problems with the elimination or want to try our suggested recovery options, check the instructions below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Aurora virus. Follow these steps

Manual removal using Safe Mode

In some cases, ransomware blocks security software in order to remain on the system. However, this guide will help to avoid this problem:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Aurora using System Restore

To get rid of Aurora ransomware with System Restore, use these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Aurora. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Aurora removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Aurora from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Aurora, you can use several methods to restore them:

Try Data Recovery Pro

This tool is created to recover files that are deleted or corrupted. However, it might be helpful after the ransomware attack too:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Aurora ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

Victims, who had System Restore enabled before Aurora ransomware attack, can try to copy individual files by following this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

It's unknown if malware deletes Shadow Volume Copies or not. If they are left on the system, get this tool and recover your data:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The decryptor for Aurora ransomware has already been updated. Try it

If got attacked by Aurora ransomware (newest version), use Emsisoft decryptor to recover after attack.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Aurora and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions