Did Aurora Ransomware infect you? You can decrypt file for free

Pierluigi Paganini January 05, 2019

Victims of the Aurora Ransomware could use a decryptor tool developed by the popular malware researcher Michael Gillespie to decrypt their data for free.

Good news for the victims of the Aurora Ransomware, there are many variants of this Windows malware but most of the victims have been infected by the version that appends the .Nano extension to the encrypted files.

Attackers infect systems through Remote Desktop Services accesses, once files are encrypted the ransomware will create on the Windows desktop and in various folders on the computer a ransom note.

Now the popular malware researcher Michael Gillespie has developed a decryptor that allows the victims to decrypt their files for free.

The decryptor supports the variants that append the following extensions to the encrypted files:


To decrypt files encrypted by the Aurora ransomware, victims need to download and execute the Aurora Decryptor.

Aurora Ransomware

To start brute-force attack and retrieve the encryption key the victim have to provide two encrypted files of the following file types:

.png, .gif, .pdf, .docx, .xlsx, .pptx, .doc, .xls, .ppt, .vsd, .psd, .mp3, .wmv, .zip, .rar, .pst, .rtf, .mdb, .ico, .lnk, .fdb, .jar, and .idx

Once selected the two encrypted files the victims can start the Bruteforcer, the process could be time-consuming, but don’t worry.

The process will end with the discovery of the decryption key, closing the
BruteForcer the key will be automatically loaded into the decryptor.

Now the users can choose to decrypt a directory by selecting it or to decrypt an entire drive by selecting the drive letter.

“When it has finished, the decryptor will display a summary of the amount of files that have been decrypted. If some of the files were skipped it may be due to permissions to the files.reported Bleeping Computer that described the entire procedure step by step.

Note that the original encrypted files will remain on victim’s computer until he will confirm that they have been properly decrypted.

“you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.” suggests Lawrence Abrams.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Aurora Ransomware, malware)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment