Ransomware Research

Aurora Ransomware

Aurora is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on May 1, 2018, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: OneKeyLocker.

Quick Facts

Ransomware Family
Aurora
First Seen
May 1, 2018
Known Aliases
OneKeyLocker

How Aurora Ransomware Works

Targeted Files

https://app.any.run/tasks/12e39ec5-9e2c-482d-975a-66848197f592/ https://app.any.run/tasks/ee8b6db9-3dd5-4447-991f-de33335cb1a4/ https://app.any.run/tasks/1dc0b4c1-d4e0-4d86-83d4-4b354799e68f/ https://app.any.run/tasks/10fcf75a-a4db-478e-9dbc-c171f1fcc0b6/ https://www.bleepingcomputer.com/forums/t/716603/new-ransomware-returndata-extension/ https://app.any.run/tasks/c71e73b2-a990-4028-990b-e225d0d28beb/ https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/ Requires C&C -> e8e995787549117aacb30b3d4896c058a8bfc8d0aab312b726d34e6ab85d819d

File Encryption Patterns

Aurora modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..Aurora..Nano..cryptoid..peekaboo..isolated..infected..locked..veracrypt..returndata..masked..crypton

Ransom Note and Payment Demands

After encrypting files, Aurora displays ransom notes demanding payment for file recovery:

file#RECOVERY-PC#.txt

Ransom message:

notes/#RECOVERY-PC#.txt
file#RECOVERY_FILES#.txt

Ransom message:

notes/#RECOVERY_FILES#.txt

Note locations:

EveryFolder
fileCRYPTOID_BLOCKED.txt

Ransom message:

notes/CRYPTOID_BLOCKED.txt

Note locations:

EveryFolder
file@@_READ_ME_@@.txt

Ransom message:

notes/@@_TAKE_A_LOOK_@@.txt

Note locations:

EveryFolder
file@@_TAKE_A_LOOK_@@.txt

Ransom message:

notes/@@_TAKE_A_LOOK_@@.txt

Note locations:

EveryFolder
file@@_HELPER_@@.txt

Ransom message:

notes/@@_TAKE_A_LOOK_@@.txt

Note locations:

EveryFolder
file@@_FILES_ARE_ENCRYPTED_@@.txt

Ransom message:

notes/@@_FILES_ARE_ENCRYPTED_@@.txt

Note locations:

EveryFolder
file@@_HOW_TO_RETURN_DATA_@@.txt

Ransom message:

notes/@@_HOW_TO_RETURN_DATA_@@.txt

Note locations:

EveryFolder
file@@_RECOVERY_INSTRUCTIONS_@@.txt

Ransom message:

notes/@@_RECOVERY_INSTRUCTIONS_@@.txt

Note locations:

EveryFolder
file#DECRYPT_MY_FILES#.txt

Ransom message:

notes/#DECRYPT_MY_FILES#.txt

Note locations:

EveryFolder
file@@_ATTENTION_@@.txt

Ransom message:

notes/@@_ATTENTION_@@.txt

Note locations:

EveryFolder
file@@_README_@@.txt

Ransom message:

notes/@@_README_@@.txt

Note locations:

EveryFolder
file@@_RECOVERY_@@.txt

Ransom message:

notes/@@_RECOVERY_@@.txt

Note locations:

EveryFolder
file@_FILES_WERE_ENCRYPTED_@.TXT

Ransom message:

notes/@_FILES_WERE_ENCRYPTED_@.TXT
file@@_OpenTheBrowserTOR_@@.html

Ransom message:

notes/@@_OpenTheBrowserTOR_@@.html

Note locations:

EveryFolder
file@@_Открыть_В_Браузере_TOR_@@.html

Ransom message:

notes/@@_Открыть_В_Браузере_TOR_@@.html

Note locations:

EveryFolder
file@_FILES_WERE ENCRYPTED_@.TXT

Ransom message:

notes/@_FILES_WERE ENCRYPTED_@.TXT

Note locations:

EveryFolder
file@_HOW_TO_DECRYPT_FILES_@.TXT

Ransom message:

notes/@_FILES_WERE ENCRYPTED_@.TXT

Note locations:

EveryFolder
file@_HOW_TO_PAY_THE_RANSOM_@.TXT

Ransom message:

notes/@_FILES_WERE ENCRYPTED_@.TXT

Note locations:

EveryFolder

Technical Indicators

Associated Executable Files

The following executable files are associated with Aurora ransomware:

  • myfile.exe
  • a.exe
  • List.exe
  • RegAsm.exe
  • Sample_5bb53d72b5bce37484b76bd9.exe
  • RegAsm3.exe
  • tree.exe
  • RICKROLL.exe
  • 2.jpg
  • cfe5a746.gxe
  • 6C92EJ6A.exe
  • java.exe
  • pl.exe
  • 2.exe
  • 1.exe
  • QC17GKO3.exe
  • R.exe
  • loker.exe
  • Masked (Aurora)
  • svchost.exe
  • EffectivelyCloneable
  • 01-03_185.222.202.213_33B1F895B3905D4591207565EBFEFEF4_mtx777.exe
  • 945.tmp.exe
  • ljfnub.exe
  • mtx777.exe

Elastio Can Help You

Don't let Aurora ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Aurora ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Aurora.

Last updated: July 30, 2025

Aurora Ransomware - Detectable by Elastio