Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Aurora ransomware


  • Please log in to reply
12 replies to this topic

#1 trazimcalvina

trazimcalvina

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 06 June 2018 - 05:56 PM

Hello,

I was hit by a ransomware indentifying itself as Aurora by creating notepad files in several folders and requesting 100 $ in bitcoin, however this is not the point of this topic, the strange part atleast to me (not really experienced in ransomware) is that I seem to have succeeded in stopping it atleast temporarily (still early).

 

When I initialy noticed that I triggered some sort of malware I immediately disconected from the internet, ran a Malwarebytes scan  deleted about 70 potential threats that it detected and tried a System Restore to a previous date. After restoring, my current situation is that my computer is fully functional, the folders where aurora notepads were created are few and mostly on my system drive, they did encrypt some files but they are completely irrelevent minor programs on the system drive, no documents images or anything of value was encrypted, and after 4 hours the infection does not seem to be spreading.

 

Now my question is why did this happen, why didnt the ransomware encrypt everything? But most importantly is there risk of it progressing and locking more files?

 

I dont have much hope in getting rid of this ransomware and I believe I will have to reinstall windows but it would be good if i could save some of my files, for that reason I thought about transfering some important files that are not encrypted to my external hardrive but thinking this as too risky I transfered them to an empty usb, that way if it turns out that the ransomware moved to the usb i dont lose anything and it was a good try.

Should i consider trying to backup as much files as I can to the external hardrive or is there risk of the ransomware spreading on it after I connect it to the computer?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 PM

Posted 06 June 2018 - 06:34 PM

It is not uncommon for ransomware infections to sometimes fail to encrypt all data especially if the encryption process was interrupted by the victim or installed security software.

When you discover that your computer is being infected with ransomware you should immediately shut it down to prevent it from encrypting any more files. Shutting down the computer should stop any encryption to other drives that were connected at the time of infection. If possible you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files and ransom note text files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amigo-A

Amigo-A

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:54 AM

Posted 07 June 2018 - 01:35 AM

trazimcalvina
When, on what date did it happen?
 
Encryption Aurora Ransomware could be interrupted for technical reasons or the code specified very few target files.
 
It was found that Aurora uses the sites host1xxxxxx.hostland.pro as C&C
An intermediate provider has been identified that specifically registers domain names from Russian providers, orders hosting and provides services as a Russian supplier.
This creates a fake Russian trace in many cases involving cyber crime.
The evidence was sent to the hoster, the sites on hostland.pro were deleted and the accounts of the attackers were blocked on May 27, 2018. Now, attackers setup work through other C&C.

Edited by Amigo-A, 07 June 2018 - 01:37 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 trazimcalvina

trazimcalvina
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 07 June 2018 - 02:46 AM

@AmigoA

It happened approximately 17 hours ago from this posting.

 

Thank you for your detailed explanation however certain things still worry me. Is it common for the ransomware to resume spreading in the future on other files seeing that it is harmless now?

Also is it safe for me to connect my external hard drive and transfer files that were not affected? I have some important backups on this external hard drive and I fear the ransomware could somehow attack them even if it seems currently dormant.


Edited by trazimcalvina, 07 June 2018 - 02:46 AM.


#5 Amigo-A

Amigo-A

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:54 AM

Posted 07 June 2018 - 06:28 AM

Yes, just in this period of time they reconfigured their Ransomware.
---
 
It will be safer if everything is done under the supervision of modern anti-virus protection with up-to-date anti-virus databases.
Have installed, checked the entire PC, cured, re-loaded. Then you can connect external drives and flash drives.
 
I recommend Norton Security or Kaspersky Internet Security. 

Edited by Amigo-A, 07 June 2018 - 07:35 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 trazimcalvina

trazimcalvina
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 07 June 2018 - 06:59 AM

 

Yes, just in this period of time they reconfigured their Ransomware.
 
It will be safer if everything is done under the supervision of modern anti-virus protection with up-to-date anti-virus databases.
Have installed, checked the entire PC, cured, re-loaded. Then you can connect external drives and flash drives.
 
I recommend Norton Security or Kaspersky Internet Security. 

 

 

Sorry bit condused by your answer is that a "yes" on the "its safe to connect question" or a "yes" to the "is it common for the ransomware to continue spreading after it has been stopped question"??



#7 Amigo-A

Amigo-A

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:54 AM

Posted 07 June 2018 - 07:32 AM

Yes to this

It happened approximately 17 hours ago from this posting.

 

:)

Yes, just in this period of time they reconfigured their Ransomware.

 

 

Probably, an attack on your PC was performed after reconfiguration Aurora Ransomware. 


Edited by Amigo-A, 07 June 2018 - 07:34 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 trazimcalvina

trazimcalvina
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 07 June 2018 - 07:03 PM

What about the risk for my external hard drive if I were to connect it?



#9 Amigo-A

Amigo-A

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:54 AM

Posted 08 June 2018 - 02:17 AM

In my post number 5, I already wrote you a recommendation about when it is safer to use an external drives.

Crypto-Ransomware are aimed at all kinds of drives and without real protection the data will be under attack.

 

It will be safer if everything is done under the supervision of modern anti-virus protection with up-to-date anti-virus databases.
Have installed, checked the entire PC, cured, re-loaded. Then you can connect external drives and flash drives.
I recommend Norton Security or Kaspersky Internet Security. 

 

 


Edited by Amigo-A, 08 June 2018 - 02:18 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 PM

Posted 08 June 2018 - 05:56 AM

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 eLPuSHeR

eLPuSHeR

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 08 June 2018 - 01:06 PM

I would copy your data from another clean OS. I would not connect any external drive from your current OS to be on the safe side. Try booting a Linux LiveCD or something similar and copy your data from there.



#12 trazimcalvina

trazimcalvina
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 08 June 2018 - 02:47 PM

Thank you for your help, I will try the methods you suggested.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 PM

Posted 08 June 2018 - 05:56 PM


List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users