What is Aurora Virus Ransomware?

 

It is a ransomware that sneaks into your computer system and encrypts most of the important data over your computer. .AURORA virus ransomware uses RSA-2048 which is an asymmetric algorithm. The malware changes the extension of the files from default extensions to ‘.aurora’ or others after which it is impossible for the user to access the files or folders on his system. A .txt (text) file with the name, ‘HOW_TO_DECRYPT_YOUR_FILES.txt’ or ‘!-GET_MY_FILES-!.txt’ on it is created and placed in every folder that the malware encrypts.

 

What do they want?

Like most of the ransomware, this file opens and threatens the victim to pay the designated ransom or else they’ll not be able to access the information any more. The developers of this ransomware will provide an email that can only be used to make a payment. This payment will let the victims buy a decrypter designed by the developers. Without this decrypter it is impossible to decode the encryption.

 

 

The AURORA virus ransomware uses RSA-2048 algorithm to encrypt the files. This algorithm has an attribute to create two keys one is encryption key (public) and the other one is decryption key (private). File restoration is impossible without the second Key. These keys are stored in a secure server at a private location. Victims must pay a sum of $ 100 using crypto-currency. And, even if the victims pay the ransom they are most likely to be ignored afterwards. This is what a scam is! There are no decryption tools to decode the encryption implemented using RSA-2048 encryption.

 

Threat Summary

 

Name	AURORA virus
Type	Ransomware, crypto-virus
Category	Malware
Targeted operating system	Windows
Extension	.AURORA
Distribution Methods	Spam mails, malicious adware, software bundling, malicious websites

 

Threat Behavior

 

.AURORA uses RSA-2048 algorithm, so, by the moment it enters your computer via spam mails or malicious sites/adware, it encrypts the important files of the entire system and give them different extension other than the extension given by the system such as .txt, .jpg etc. The main attribute of this algorithm is that when once applied it generates two keys; public and private. The second key can only be used to decrypt the locked files.

 

 

The developers of these malwares attach them via bundling to some software. By the moment the user downloads this malicious software, a process runs in background enabling the malware to download itself into the system of the user. Once it gets downloaded into the system of the user, it encrypts most of the files and folders of the user’s system. This encryption can only be decrypted by the keys that the developers promise to provide in exchange of the ransom.

This threat compels the users to pay the ransom in favor of decryption key. There will be a text file created by the developers in each of the encrypted folder. Upon opening this file a message will pop-up on the screen that will let you know about the demands of the cyber criminals. These impacted system folders cannot be decrypted unless a ransom is paid.

It is recommended to the victims not to pay the ransom demanded by the developer as there is a possibility that they might ignore you after the ransom has been paid. This will lead to the loss of your data.

 

New file extensions

The current versions of this ransomware infect the users’ computers and change the file extensions to following names:

 

 

• .Nano
• .animus
• .Aurora
• .desu
• .ONI
• .aurora

If your PC has been infected by the same ransomware, you may employ the removal guide given below and get rid of the AURORA virus ransomware.

 

How your system did got infected by the AURORA virus ransomware?

There are many ways by which this malware can enter your system. You must avoid doing the below in order to stop the malware from entering into your system:

• Spam emails: The emails that contain offers or false prizes have malicious attachments that start downloading the malware into your computer by the moment you open the mail.
• Third party software downloads come bundled with these malware programs and while the user thinks that the software is being downloaded, a process runs in background downloading itself to encrypt the files.
• Fake software updates that display on your screen are the reason behind these ransomware’s infection.
• Peer to peer networks
• Trojans

The fake updates are the easiest gateways for the malware to enter into the system. This update might also create or induce bugs to the software causing it to crash. So you should be aware of these key paths through which the malware enters and infects the system.

How to remove Aurora virus Ransomware?

STEP 1 Start the system in Safe Mode with Networking 

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

If starting in safe mode doesn’t help and the extension on files is still there you need to delete its registry key.

STEP 2 Delete the AURORA virus ransomware from the Registry Key

1. Type “Regedit” in search box / Run Box, select it and press Enter.
2. An authorization dialog box will appear, then you just have to click “Yes”. (The dialog box appearance may vary depending on OS used. For Windows 10 the the dialog box looks like the first screenshot and for windows 7 it appears like the second screenshot)
3. In the registry editor, take the backup of the current registry settings before making any changes in case you want to revert to old settings later. For this, Click on File option in the menu and select Export. Save the entry at a known location.
4. From the Menu, Click Edit and Select Find.
5. Enter .AURORA and click Ok in the search box.
6. Select and delete suspicious  enteries.

After you delete the registry key of .AURORA and the extension is still there! You need to delete the services of .AURORA using Command Prompt.

STEP 3 Delete the services using Command Prompt 

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

1. Type the command “sc delete .AURORA” in the command prompt and press Enter.
2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

 

Even after you’ve deleted the services and extensions don’t go away! The last option now, is to restore your system settings and files to a previous date this will delete the ransomware’s existence from each tech-corner of your system.

STEP 4 Restore your system files and settings

 

 NOTE: Please do keep a backup of your files and folders regularly on either cloud or on an external hard drive. This will help you by making you able to restore your system directly to a previous date.  

 

Tips to prevent your system from getting infected by the virus:

The users should first of all avoid the infection methods and must not interact with unauthentic websites or mails. Secondly the user must follow the steps below to prevent system from getting infected:

• Keep your system updated – Keeping your system updated means keeping your OS (operating system) updated as older versions of OS are easier to attack. Older versions of OS also crash by a little bit of programming.
• Install legitimate anti-virus software – Installing software like Vipre and Hitman Pro will prevent these ransomware from getting infected by the malware. It prevents it from even entering the PC.
• Keep a back-up of the important files on cloud storage or an external hard drive. Keeping a data backup would provide ease at the time your data gets lost during the virus removal process.
• Avoid opening spam mails that have these malware programs bundled within and as soon as you open these spam mails the malware gets downloaded in the background without the user’s consent.
• Avoid downloading third-party software that may also provide a pathway to the ransomware from entering into your system.
• They can also be transferred to your system via external devices that have been used into the PCs that are accessible publically.

Hits: 90