Severity scale:  
  (98/100)

Aurora ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

Aurora ransomware is a cryptovirus that came back in November 2018 with a new but still decryptable version

Aurora ransomware image
Aurora is a ransomware which is designed to encrypt data with RSA-2048 algorithm.

Aurora is a ransomware[1] which uses RSA-2048 algorithm to encrypt essential data. This virus is a ransom-demanding malware that already made a profit from victim's payments. However, the most recent versions can be decrypted. The encoded information is marked with .animus, .Aurora, .desu, and .ONI file extension at the end of the file names. Since there are multiple versions of this file-encrypting virus each one of them delivers a different ransom note. The latest variant drops !-GET_MY_FILES-!.txt file, other ones add #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt on the system. Ransom note contains instructions on how to pay the ransom. It will also contain an email address, which is currently oktropys@protonmail.com and urges to contact the criminals via this email address. Victims are demanded to pay at least $50 for the decryption tool. But you can contact Michael Gillespie and get your files decrypted. Previously, the ransomware was noticed using AZORult virus to increase its distribution rate.

Overview of the cyber threat
Name Aurora
Type Ransomware
Cryptography RSA-2048
Appended extension .animus, .Aurora, .desu, and .ONI
Ransom notes

HOW_TO_DECRYPT_YOUR_FILES.txt; !-GET_MY_FILES-!.txt; #RECOVERY-PC#.txt; @_RESTORE-FILES_@.txt

Contact email addresses
  • anonimus.mr@yahoo.com; 
  • oktropys@protonmail.com; 
  • big.fish@vfemail.net
Size of the ransom $50; $100; $200; $500
Distribution Malicious email attachments, malvertising, fake downloads/updates

To uninstall Aurora virus, install Reimage and run a full system scan

Aurora ransomware targets English-speaking users. This means that the virus spreads around the world quickly via malicious spam emails or other popular distribution strategies. Typically, the executable of the virus is dropped when a user opens an obfuscated attachment in the letter. Immediately, it starts data encryption procedure and leaves the following ransom notes depending on the version of the crypto-malware:

  • HOW_TO_DECRYPT_YOUR_FILES.txt;
  • HOW_TO_DECRYPT_YOUR_FILES2.txt;
  • HOW_TO_DECRYPT_YOUR_FILES3.txt;
  • HOW_TO_DECRYPT_YOUR_FILES4.txt;
  • HOW_TO_DECRYPT_YOUR_FILES5.txt;
  • HOW_TO_DECRYPT_YOUR_FILES6.txt;
  • !-GET_MY_FILES-!.txt;
  • #RECOVERY-PC#.txt.

The primary goal of the authors of Aurora ransomware virus is to threaten users and make them pay the ransom in exchange for the decryption software. Criminals claim that users should not use other tools as they might permanently damage the data. However, experts say that there are no guarantees that the attackers themselves have the virus decryptor and are willing to send it after the payment.

Aurora ransomware illustration
The criminals behind Aurora virus can demand to pay up to $500 for the decryption software.

Furthermore, hackers specify not to contact any data recovery companies as they will inform the criminals and increase the price of Aurora decryptor. Although, we can assure you that such claims are merely a trick to intimidate desperate computer users as none of the reputable firms would engage in this illegal activity. 

Here is one of the ransom notes used by Aurora virus:

We STRONGLY RECOMMEND you NOT to use any “decryption tools”. 
These tools can damage your data, making recover IMPOSSIBLE. 
Also, we recommend you not to contact data recovery companies. 
They will contact us, buy the key and sell it to you at a higher price. 
If you want to decrypt your files, you have to get RSA private key. 

However, it’s unknown if authors of the .Aurora file extension virus are capable of providing a decryption service. Hence, you might lose the money. Also, they can blackmail you after the payment and ask for more money; otherwise, they might leak or delete encrypted files.

Researchers from NoVirus.uk[2] also note that many victims are left alone after hackers receive the money. For these reasons, you should not deal with cybercriminals. Focus on the most important part after the attack — Aurora ransomware removal.

This task has to be completed with reputable anti-malware software. Crypto-viruses are complicated and hazardous cyber threats, so they cannot be appropriately eliminated without the damage. If you need a professional tool to remove Aurora ransomware virus from the computer, choose Reimage.

The evolution of Aurora virus

The initial version of Aurora/OneKeyLocker Ransomware used HOW_TO_DECRYPT_YOUR_FILES.txt ransom note and demanded their victims to pay around $500 for the decryption tool. Criminals indicated anonimus.mr@yahoo.com email address for contact purposes. 

However, on the 1st of June 2018 cybersecurity researchers have discovered a new variant of Aurora virus which now uses C2 servers (a.k.a. Command-and-Control C&C). In other terms, the ransomware can is controlled remotely by the criminals. Thus, this version is exceptionally dangerous as it might be set to install more malicious programs on your system.

Aurora ransomware variant
Aurora ransomware has multiple versions and one of them uses C2 server.

Soon after attackers upgraded the name of the ransom note to #RECOVERY-PC#.txt and changed the email address — big.fish@vfemail.net. The ransom-demanding messaged indicated that victims now must pay $200 for the decryption software. 

It was evident that criminals won't stop updating Aurora ransomware. So, later experts found the new ransom note, called !-GET_MY_FILES-!.txt. According to the victims, attackers demanded to pay $50 and asked to write them via oktropys@protonmail.com email address. 

Even though the amount of the ransom kept decreasing, we strongly advise you not to contact the hackers. Files encrypted by Aurora virus can be recovered with professional tools. Thus, you don't need to finance criminals' malicious activity by making the transactions. Check the data recovery instructions at the end of this article.

  Zorro/Aurora ransomware
Aurora ransomware developers have made over 12 000$ already from ransom payments.

November 22nd came with more news about the Aurora variants. Previously, various security experts have discovered decryption methods for this virus and the latest version is also still decryptable. However, people still are paying and according to the wallet address, this virus uses since the start of attacks cybercriminals made over 12 000$, based on the Bitcoin price at the time of writing.

This version is also called Zorro ransomware and actively distributes all over the world but analyzed script shows that anyone located in Russia is not in the target. The ransomware will connect to a Command and Control server to receive data and encryption key, the minute it is installed on the device. It will then connect to http://www.geoplugin.net/php.gp see what country the victim is from based on their IP address.

Currently, the encoded files get .aurora marker still and receive the ransom note on a desktop wallpaper in %UserProfile%wall.i that is a jpg file. Ransom messages also come in !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt text files.

If you got affected by Aurora/Zorro ransomware contact the researchers[3] for the decryption key. 

Innocent-looking emails might carry ransomware inside

Spam emails[4] are the primary ransomware distribution tactic which has been used for ages now. Unfortunately, users still lack IT knowledge and keep opening malicious letters which help infiltrate the system with a file-encrypting virus.

Often these infected files have malicious macro commands and users are frequently asked to enable them as soon as they open the MS Office document. This trick is usually successful because people do not think that regular Word file can be malicious.

However, there are a couple of other methods that can be used for spreading file-encrypting malware, for instance:

  • malicious ads;
  • fake software update alerts;
  • trojans;
  • exploit kits;
  • insecure RDPs.

Nowadays it’s vital to follow cyber security tips in order to avoid getting your files locked. Hence, watch your clicks and downloads, and make sure that your computer and programs are up-to-date.

Deleting Aurora virus is essential for your PC's security

Since this file-encrypting virus is able to connect to the C2 server, criminals might install more malicious programs remotely. Likewise, quick Aurora ransomware removal is essential to protect your computer from further infections.

Of course, virus elimination does not bring back your files. Security programs needed for the removal are not designed to decrypt data. Other tools are required to complete this task. However, we want to stress out that a specific decryptor is not released yet.

Once you remove Aurora ransomware with Reimage, Malwarebytes MalwarebytesCombo Cleaner, Plumbytes Anti-MalwareMalwarebytes Malwarebytes or your preferred anti-malware tool, you can restore your data from backups or try to retrieve some data using additional methods. If you have problems with the elimination or want to try our suggested recovery options, check the instructions below. 

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Aurora virus, follow these steps:

Remove Aurora using Safe Mode with Networking

In some cases, ransomware blocks security software in order to remain on the system. However, this guide will help to avoid this problem:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Aurora

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Aurora removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Aurora using System Restore

To get rid of Aurora ransomware with System Restore, use these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Aurora. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Aurora removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Aurora from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Aurora, you can use several methods to restore them:

Try Data Recovery Pro

This tool is created to recover files that are deleted or corrupted. However, it might be helpful after the ransomware attack too:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Aurora ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

Victims, who had System Restore enabled before Aurora ransomware attack, can try to copy individual files by following this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

It's unknown if malware deletes Shadow Volume Copies or not. If they are left on the system, get this tool and recover your data:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The decryptor for Aurora ransomware is not released yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Aurora and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References