Threat Database Ransomware Ransomware Ransomware

By GoldSparrow in Ransomware

The Ransomware an encryption ransomware Trojan that is a variant of Aurora, an encryption ransomware Trojan first observed in May 2018. The Ransomware was first observed in June 2018 and seems to be part of some attacks on small business networks and individual computer users. The Ransomware seems to be delivered to the victims through the use of corrupted spam email messages, often in the form of suspicious email attachments containing embedded macro scripts that download and install the Ransomware onto the victim's computer. The Ransomware also has been observed to be delivered by compromising unprotected Remote Desktop access points and open ports.

How the Ransomware Attacks Your Files

Once the Ransomware is installed onto the victim's computer, the Ransomware will scan the affected computer in search for files to encrypt in its attack. The Ransomware will target the user-generated files, which may include numerous media files, databases and document types. The Ransomware and similar threats may focus on the following file types:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Ransomware marks the files it compromises with the file extension '.aurora,' which it adds to the file's name. This is a clear reference to the Ransomware's precursor.

The Ransomware's Ransom Note

The Ransomware encrypts the files and then delivers a ransom note. The Ransomware's ransom note takes the form of a text file named '!-GET_MY_FILES-!.txt.' The Ransomware's ransom note demands a payment of 50 USD in Bitcoin (0.0085 BTC at the current exchange rate). The following is the full ransom message that has been linked to the Ransomware attack:

'SORRY! Your files are encrypted.
File contents are encrypted with random key.
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
And send me your id, your id:
-[random characters]
And pay 50$ on 1DVrBzv6hb1D217NNqbjaForF3eG3HXc7a wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.'

Our PC security researchers have not observed any payments delivered to the Bitcoin wallet address used by the Ransomware.

Recovering from an Ransomware Attack

Unfortunately, when the Ransomware damages a file, it cannot be recovered without the decryption key. Computer users should back up their data to ensure that it can be restored after the attack. File backups stored on external places are very effective to counter act these attacks. It is also crucial to have a security program that is fully up-to-date, which can help computer users prevent the Ransomware from being installed and remove the Ransomware infection itself after an attack.


Most Viewed