Aurora Ransomware

Aurora, also known as Animus and OneKeyLocker, is ransomware that was first observed at the end of May 2018.

Like other ransomware, Aurora is distributed via malicious spam email attachments. When a user executes Aurora it encrypts their files and appends them with either the .Aurora or .desu extensions. Files may also be renamed to the hexadecimal code of the original filename.

A text file is saved to the user’s desktop containing a ransom note demanding payment in Bitcoin. At the time of publication, there is no publicly available tool to decrypt affected files.

Indicators of Compromise

File hashes (SHA 256):

  • 41d35a960b3f28b1a729cdae920573de3ccefef7fdd3bbdb9d3ce729b6aa5277

File hashes (MD5):

  • 31d65e315115c823f619a381576984f8
  • 110018a135211a57eaa946b9f2ffc7e9


  • lulaaura[.]top

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339