Ransomware Research

Aurora Ransomware

Aurora is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on May 1, 2018, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: OneKeyLocker.

Quick facts

Ransomware Family
Aurora
First Seen
May 1, 2018
Known Aliases
OneKeyLocker

How Aurora ransomware works

File encryption patterns

Aurora modifies encrypted files using specific patterns to mark them as encrypted:

Extensions added after encryption
.Aurora.Nano.cryptoid.peekaboo.isolated.infected.locked.veracrypt.returndata.masked.crypton

Ransom note and payment demands

After encrypting files, Aurora displays ransom notes demanding payment for file recovery:

file#RECOVERY-PC#.txt
notes/#RECOVERY-PC#.txt
file#RECOVERY_FILES#.txt
notes/#RECOVERY_FILES#.txt
Location: EveryFolder
fileCRYPTOID_BLOCKED.txt
notes/CRYPTOID_BLOCKED.txt
Location: EveryFolder
file@@_READ_ME_@@.txt
notes/@@_TAKE_A_LOOK_@@.txt
Location: EveryFolder
file@@_TAKE_A_LOOK_@@.txt 
notes/@@_TAKE_A_LOOK_@@.txt
Location: EveryFolder
file@@_HELPER_@@.txt
notes/@@_TAKE_A_LOOK_@@.txt
Location: EveryFolder
file@@_FILES_ARE_ENCRYPTED_@@.txt
notes/@@_FILES_ARE_ENCRYPTED_@@.txt
Location: EveryFolder
file@@_HOW_TO_RETURN_DATA_@@.txt
notes/@@_HOW_TO_RETURN_DATA_@@.txt
Location: EveryFolder
file@@_RECOVERY_INSTRUCTIONS_@@.txt
notes/@@_RECOVERY_INSTRUCTIONS_@@.txt
Location: EveryFolder
file#DECRYPT_MY_FILES#.txt
notes/#DECRYPT_MY_FILES#.txt
Location: EveryFolder
file@@_ATTENTION_@@.txt
notes/@@_ATTENTION_@@.txt
Location: EveryFolder
file@@_README_@@.txt
notes/@@_README_@@.txt
Location: EveryFolder
file@@_RECOVERY_@@.txt
notes/@@_RECOVERY_@@.txt
Location: EveryFolder
file@_FILES_WERE_ENCRYPTED_@.TXT
notes/@_FILES_WERE_ENCRYPTED_@.TXT
file@@_OpenTheBrowserTOR_@@.html
notes/@@_OpenTheBrowserTOR_@@.html
Location: EveryFolder
file@@_Открыть_В_Браузере_TOR_@@.html
notes/@@_Открыть_В_Браузере_TOR_@@.html
Location: EveryFolder
file@_FILES_WERE ENCRYPTED_@.TXT
notes/@_FILES_WERE ENCRYPTED_@.TXT
Location: EveryFolder
file@_HOW_TO_DECRYPT_FILES_@.TXT
notes/@_FILES_WERE ENCRYPTED_@.TXT
Location: EveryFolder
file@_HOW_TO_PAY_THE_RANSOM_@.TXT
notes/@_FILES_WERE ENCRYPTED_@.TXT
Location: EveryFolder

Technical indicators

Associated executable files

The following executable files are associated with Aurora ransomware:

About this analysis

This Aurora ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery, helping organizations defend against and recover from ransomware attacks like Aurora.

Last updated: December 30, 2025

Detection coverage

Elastio detects Aurora inside your data and backups.

The Hunt Engine uses Deep File Inspection to identify Aurora across live data, replicated data, and backups. If this family is in your environment, Elastio finds it before encryption completes. Run a scan against your recovery points to confirm.

See How the Hunt Engine WorksRequest a Demo

Recent ransomware

Explore other threats in our database

Wxlongda2025VeilCrypt2025TitanLabooboo2025SolidBit2022SnapHackLocker2024PySystemUpdate2025PySimCrypt2025Monkey2025Lol2025HWID2025
View all ransomware →