What is Aurora Ransomware
Aurora Ransomware (sometimes called OneKeyLocker Ransomware) is new crypto-virus, that started circulating the web since the end of May, 2018. The virus mostly aims Western countries, however, some versions were spread in Turkey. It uses DES algorithm to encode files and adds .aurora extension, after which it got its name. Since that, malware had multiple updates and modifications. Ransomware now also adds following extensions: .nano, .cryptoid, .peekaboo and .isolated. After encryption ransomware creates different text files (depending on version), containing ransom note with contact information and instructions:
HOW_TO_DECRYPT_YOUR_FILES.txt, #RECOVERY-PC#.txt, !-GET_MY_FILES-!.txt, _RECOVERY_FILES_.txt, #RECOVERY_FILES#.txt, CRYPTOID_BLOCKED.txt, CRYPTOID_MESSAGE.txt, CRYPTOID_HELP.txt, @@_BENI_OKU_@@.txt, @@_DIKKAT_@@.txt, @@_SILINEN_VERILER_@@.txt, @@_HELPER_@@.txt, @@_READ_ME_@@.txt, @@_TAKE_A_LOOK_@@.txt
Initial version used anonimus.mr@yahoo.com e-mail for communication, recent versions switched to following e-mail addresses:
big.fish@vfemail.net, oktropys@protonmail.com, Nano18@airmail.cc, IamBaronSaturday@gmail.com, rickastley@keemail.me, krkcdkkn@gmail.com, perdrolan@cock.li, testodin@cock.li
Here are the contents of ransom note files:
==========================# aurora ransomware #==========================
SORRY! Your files are encrypted.
File contents are encrypted with random key.
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
big.fish@vfemail.net
And send me your id, your id:
***
And pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
==========================# aurora ransomware #==========================
$$$$$$$$$$$$$$$$$$$$$$$$> PEEKABOO <$$$$$$$$$$$$$$$$$$$$$$$$ SORRY! Your files are encrypted. File contents are encrypted with random key. Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- In order to get private key, write here: perdrolan@cock.li =========== !ATTENTION! Attach file is 000000000.key from %appdata% to email message, without it we will not be able to decrypt your files =========== And pay $300 on BTC-wallet: 1NkjBNF7fmpRsX4WjokUie21m8bv9xvRKs If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. $$$$$$$$$$$$$$$$$$$$$$$$> PEEKABOO <$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$> CRYPTO LOCKER <$$$$$$$$$$$$$$$$$ SORRY! Your files are encrypted. File contents are encrypted with random key. Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If someone else offers you files restoring, ask him for one file decryption. If you decide to decrypt files, for a have to get RSA private key. To get the RSA key, follow these steps in order: Pay of the ransom cost: 1. $100 in the first 24 hours, $200 before and after 48 hours. Pay the stated amount to this BTC-purse: >>> 19byE1fxToZXcmfXixFZmRy9E9i1QFYmLv <<< 2. Write on the testodin@cock.li, specifying a link to the BTC-transaction in the message. =========== !ATTENTION! Attach file is 000000000.key from %appdata% to email message, without it we will not be able to decrypt your files. =========== In the reply letter you will receive a unique decoder and instructions on what to do next. Only we can successfully decrypt your files. You will receive instructions of what to do next. We guarantee you file recovery if you do it right. $$$$$$$$$$$$$$$$$> CRYPTO LOCKER <$$$$$$$$$$$$$$$$$
Usually, viruses of this type ask for $100 - $500 in BitCoins. At the moment, there is a public decryption tool called EmsiSoft Decrypter for Aurora available. It is able to decrypt files encrypted by all versions of this virus. If it is unable to recover the data, full recovery is only possible with the help of backups. You can preserve your files till actual decryptor will be created. Some data can possibly be restored using instructions on this page. This tutorial was written to help users remove Aurora Ransomware and decrypt .aurora, .cryptoid, .peekaboo or .isolated files in Windows 10, Windows 8 or Windows 7.
How Aurora Ransomware infected your PC
Aurora Ransomware virus spreads via infected websites. On infected sites, JSCoinminer is detected, a Web attack is conducted on visitors' computers. Can be also distributed by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter 5 or Norton Antivirus.
Download Aurora Ransomware Removal Tool
To remove Aurora Ransomware completely, we recommend you to use SpyHunter 5. It detects and removes all files, folders and registry keys of Aurora Ransomware.
How to remove Aurora Ransomware manually
It is not recommended to remove Aurora Ransomware manually, for safer solution use Removal Tools instead.
Aurora Ransomware files:
White.exe (WhiteRose.exe)
HOW_TO_DECRYPT_YOUR_FILES.txt
HOW_TO_DECRYPT_YOUR_FILES2.txt
HOW_TO_DECRYPT_YOUR_FILES3.txt
HOW_TO_DECRYPT_YOUR_FILES4.txt
HOW_TO_DECRYPT_YOUR_FILES5.txt
HOW_TO_DECRYPT_YOUR_FILES6.txt
List.exe
hack.exe
java.exe
regedit.exe
Aurora Ransomware registry keys:
no information
How to decrypt and restore .aurora, .cryptoid, .peekaboo or .isolated files
Use automated decryptors
Use following tool from EmsiSoft called EmsiSoft Decrypter for Aurora, that can decrypt .aurora, .cryptoid, .peekaboo or .isolated files. Download it here:
Read the following guide on how to use this tool to decrypt your data in a proper way: >>How to use the Emsisoft Decrypter for Aurora.
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with Aurora Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .aurora, .cryptoid, .peekaboo or .isolated files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Aurora Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.