Severity scale:  

Remove Aurora ransomware (Removal Instructions) - updated Jan 2020

removal by Julie Splinters - - | Type: Ransomware

Aurora ransomware – still active ransomware that came back in 2020 with .crypton file extension

Aurora ransomware imageAurora is a ransomware which is designed to encrypt data with RSA-2048 algorithm.

Aurora is a ransomware[1] which is using RSA-2048 algorithm to encrypt essential data. This virus returned in 2020 with a new extension algorithm – .crypton. Unfortunately, the malware has already made a profit from victims by payments for decrypting encrypted data. The encoded information is marked with .animus, .Aurora, .desu, .ONI and .crypton file extension at the end of the file names. Since there are multiple versions of this file-encrypting virus each one of them delivers a different ransom note. The latest variant drops !-GET_MY_FILES-!.txt file, other ones add #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt on the system. Ransom note contains instructions on how to pay the ransom. It will also contain an email address which is currently called and urging to contact the criminals via this email address. Victims are demanded to pay at least $50 for the decryption tool. However, the recent version is demanding $500. Previously, the ransomware was noticed using AZORult virus to increase its distribution rate.

Overview of the cyber threat
Name Aurora
Type Ransomware/cryptovirus/file-encrypting virus
Cryptography RSA-2048 encryption algorithm
Appended extension .animus, .Aurora, .desu, .ONI. The newest is .crypton
Ransom notes
    • !-GET_MY_FILES-!.txt
    • #RECOVERY-PC#.txt
    • @_RESTORE-FILES_@.txt
    • @_HOW_TO_PAY_THE_RANSOM_@.txt
    • @_HOW_TO_DECRYPT_FILES_@.txt
Contact email addresses
Size of the ransom $50; $100; $200; The latest variant is asking $500
Distribution Malicious email attachments, malvertising, fake downloads/updates

To remove Aurora ransomware, install reputable anti-spyware. To get rid of virus damage, use Reimage Reimage Cleaner Intego. Note that it doesn't decrypt encrypted files. For that, use the updated Emsisoft decryptor.

Aurora ransomware is targeting English-speaking users. This means that the virus spreads around the world quickly via malicious spam emails or other popular distribution strategies. Typically, the executable of the virus is dropped when a user opens an obfuscated attachment in the letter. Immediately, it starts data encryption procedure and leaves the following ransom notes depending on the version of the crypto-malware:

  • !-GET_MY_FILES-!.txt
  • #RECOVERY-PC#.txt
  • @_RESTORE-FILES_@.txt

The primary goal of the authors of Aurora ransomware virus is to threaten users and make them pay the ransom in exchange for the decryption software. Criminals claim that users should not use other tools as they might permanently damage the data. However, experts say that there are no guarantees that the attackers themselves have the virus decryptor and are willing to send it after the payment.

Aurora ransomware illustration

Furthermore, hackers specify not to contact any data recovery companies as they will inform the criminals and increase the price of Aurora decryptor. Although, we can assure you that such claims are merely a trick to intimidate desperate computer users as none of the reputable firms would engage in this illegal activity. 

Here is one of the ransom notes used by Aurora virus:

We STRONGLY RECOMMEND you NOT to use any “decryption tools”. 
These tools can damage your data, making recover IMPOSSIBLE. 
Also, we recommend you not to contact data recovery companies. 
They will contact us, buy the key and sell it to you at a higher price. 
If you want to decrypt your files, you have to get RSA private key. 

=== # aurora ransomware # ===
Aurora ransomware

SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
And pay 500 $ on 3CwxawqJpM4RBNididvHf8LhFA2VfLsRjM wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
=== # aurora ransomware # ===

However, it’s unknown if authors of the .Aurora file extension virus are capable of providing a decryption service. Hence, you might lose the money. Also, they can blackmail you after the payment and ask for more money; otherwise, they might leak or delete encrypted files.

Researchers from[2] also note that many victims are left alone after hackers receive the money. For these reasons, you should not deal with cybercriminals. Focus on the most important part after the attack — Aurora ransomware removal.

Aurora ransomware virus pictureAurora is crypto-malware which claims that none of the data recovery firms can help victims get back the access to their documents.

This task has to be completed with reputable anti-malware software. Crypto-viruses are complicated and hazardous cyber threats, so they cannot be appropriately eliminated without the damage. If you need a professional tool to remove Aurora ransomware virus from the computer, choose reputable anti-virus and then run Reimage Reimage Cleaner Intego to fix damaged files and similar components of your computer system. To decrypt encrypted files, use backups or try the most known ransomware decrypters, e.g. Emsisoft Decryptor for Aurora.

Previous evolution of Aurora virus

The initial version of Aurora/OneKeyLocker Ransomware used HOW_TO_DECRYPT_YOUR_FILES.txt ransom note and demanded their victims to pay around $500 for the decryption tool. Criminals indicated email address for contact purposes. 

However, on the 1st of June 2018 cybersecurity researchers have discovered a new variant of Aurora virus which now uses C2 servers (a.k.a. Command-and-Control C&C). In other terms, the ransomware can is controlled remotely by the criminals. Thus, this version is exceptionally dangerous as it might be set to install more malicious programs on your system.

Aurora ransomware variantAurora ransomware has multiple versions and one of them uses C2 server.

Soon after attackers upgraded the name of the ransom note to #RECOVERY-PC#.txt and changed the email address — The ransom-demanding messaged indicated that victims now must pay $200 for the decryption software. 

It was evident that criminals won't stop updating Aurora ransomware. So, later experts found the new ransom note, called !-GET_MY_FILES-!.txt. According to the victims, attackers demanded to pay $50 and asked to write them via email address. 

Even though the amount of the ransom kept decreasing, we strongly advise you not to contact the hackers. Files encrypted by Aurora virus can be recovered with professional tools. Thus, you don't need to finance criminals' malicious activity by making the transactions. Check the data recovery instructions at the end of this article.

  Zorro/Aurora ransomwareAurora ransomware developers have made over 12 000$ already from ransom payments.

November 22nd came with more news about the Aurora variants. Previously, various security experts have discovered decryption methods for this virus and the latest version is also still decryptable. However, people still are paying and according to the wallet address, this virus uses since the start of attacks cybercriminals made over 12 000$, based on the Bitcoin price at the time of writing.

This version is also called Zorro ransomware and actively distributes all over the world but analyzed script shows that anyone located in Russia is not in the target. The ransomware will connect to a Command and Control server to receive data and encryption key, the minute it is installed on the device. It will then connect to see what country the victim is from based on their IP address.

Currently, the encoded files get .aurora marker still and receive the ransom note on a desktop wallpaper in %UserProfile%wall.i that is a jpg file. Ransom messages also come in !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt text files.

If you got affected by Aurora/Zorro ransomware contact the researchers[3] for the decryption key. 

Innocent-looking emails might carry ransomware inside

Spam emails[4] are the primary ransomware distribution tactic which has been used for ages now. Unfortunately, users still lack IT knowledge and keep opening malicious letters which help infiltrate the system with a file-encrypting virus.

Often these infected files have malicious macro commands and users are frequently asked to enable them as soon as they open the MS Office document. This trick is usually successful because people do not think that regular Word file can be malicious.

However, there are a couple of other methods that can be used for spreading file-encrypting malware, for instance:

  • malicious ads;
  • fake software update alerts;
  • trojans;
  • exploit kits;
  • insecure RDPs.

Nowadays it’s vital to follow cyber security tips in order to avoid getting your files locked. Hence, watch your clicks and downloads, and make sure that your computer and programs are up-to-date.

Deleting Aurora virus is essential for your PC's security

Since this file-encrypting virus is able to connect to the C2 server, criminals might install more malicious programs remotely. Likewise, quick Aurora ransomware removal is essential to protect your computer from further infections.

Of course, virus elimination does not bring back your files. Security programs needed for the removal are not designed to decrypt data. Other tools are required to complete this task. However, we want to stress out that a specific decryptor is not released yet.

Once you remove Aurora ransomware with Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, Malwarebytes or your preferred anti-malware tool, you can restore your data from backups or try to retrieve some data using additional methods. If you have problems with the elimination or want to try our suggested recovery options, check the instructions below. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Aurora virus, follow these steps:

Remove Aurora using Safe Mode with Networking

In some cases, ransomware blocks security software in order to remain on the system. However, this guide will help to avoid this problem:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Aurora

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Aurora removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Aurora using System Restore

To get rid of Aurora ransomware with System Restore, use these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Aurora. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Aurora removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Aurora from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Aurora, you can use several methods to restore them:

Try Data Recovery Pro

This tool is created to recover files that are deleted or corrupted. However, it might be helpful after the ransomware attack too:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Aurora ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

Victims, who had System Restore enabled before Aurora ransomware attack, can try to copy individual files by following this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

It's unknown if malware deletes Shadow Volume Copies or not. If they are left on the system, get this tool and recover your data:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The decryptor for Aurora ransomware has already been updated. Try it

If got attacked by Aurora ransomware (newest version), use Emsisoft decryptor to recover after attack.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Aurora and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Your opinion regarding Aurora ransomware