Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aurora / AnimusLocker / DESU Ransomwar Support Topic (.aurora, .animus, .desu)


  • Please log in to reply
22 replies to this topic

#1 Belladone

Belladone

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 08 July 2018 - 07:26 AM

Please contact demonslay335 if you have been infected by this ransomware as he can help with decryption.

 

 

 

 

Hello everyone.
 
I just created an account and I am really not computer savvy (hence how I got that virus I guess, haha). I am, however, determined ! So here I am, asking for your help with this ransomware virus (I think that's how it's called).
 
Here is the ransom message I am getting:
 
==========================# YOUR PC BLOCK #==========================                                                                                                                              
SORRY! Your files are encrypted.
File contents are encrypted with random key.
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
oktropys@protonmail.com
And send me your id, your id:
315127379
And pay 150$ on 1DVrBzv6hb1D217NNqbjaForF3eG3HXc7a wallet
If someone else offers you files restoring, ask him for test decryption.
 Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
==========================# YOUR PC BLOCK #==========================
 
I have uploaded an example of an encrypted file here: https://www.sendspace.com/file/bjd7hv
 
 
Everything is in .aurora extension... Thanks in advance for your help !

 
Update:
 

@All
This ransomware is decryptable. Victims please PM me for free assistance.
This includes extensions .animus, .Aurora, and .desu.

Post #19


Edited by xXToffeeXx, 01 August 2018 - 02:11 PM.


BC AdBot (Login to Remove)

 


#2 thyrex

thyrex

  • Members
  • 575 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:34 PM

Posted 08 July 2018 - 07:37 AM

@Belladone

It isn't TeslaCrypt. It's Aurora Ransomware


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:34 AM

Posted 08 July 2018 - 07:38 AM

...Everything is in .aurora extension... Thanks in advance for your help !

TeslaCrypt (Alpha Crypt) includes several known versions with various extensions for encrypted files such as .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3.

The .aurora extension is a different ransomware infection...see here. You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Belladone

Belladone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 08 July 2018 - 07:53 AM

 

...Everything is in .aurora extension... Thanks in advance for your help !

TeslaCrypt (Alpha Crypt) includes several known versions with various extensions for encrypted files such as .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3.

The .aurora extension is a different ransomware infection...see here. You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance.

 

 

Thanks, I submitted it to that website, but it said it was still under investigation... So, there is nothing I can ? (I will not pay 150$ lol). 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:34 AM

Posted 08 July 2018 - 07:54 AM

@ Belladone

I split your posting and related replies into it's own topic to avoid confusion.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:34 AM

Posted 08 July 2018 - 08:00 AM

Thanks, I submitted it to that website, but it said it was still under investigation... So, there is nothing I can ? (I will not pay 150$ lol).

Until our experts have further information about this infection, your best option is to restore from backups or try file recovery software. If that is not a viable option, then backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Belladone

Belladone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 08 July 2018 - 10:30 AM

Thanks !

 

 

Thanks, I submitted it to that website, but it said it was still under investigation... So, there is nothing I can ? (I will not pay 150$ lol).

Until our experts have further information about this infection, your best option is to restore from backups or try file recovery software. If that is not a viable option, then backup/save your encrypted data as is and wait for a possible solution at a later time.

 



#8 Amigo-A

Amigo-A

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:34 PM

Posted 08 July 2018 - 12:59 PM

Belladone

Tell me when the files were encrypted?


Edited by Amigo-A, 08 July 2018 - 01:02 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:34 AM

Posted 08 July 2018 - 08:10 PM

Both strains are still under analysis. From my initial look, I believe Animus may be decryptable, but I haven't looked at Aurora yet to see what has changed.

 

Is there a *.key file under AppData for your profile by chance? Just put "%APPDATA%" into Windows Explorer to navigate to that folder quickly.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 Belladone

Belladone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 10 July 2018 - 06:44 AM

Hi everyone,

 

Sorry for the lack of response, I will answer with the info when I get home from work tonight ! I really do appreciate your help :) Thanks again.



#11 Belladone

Belladone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 10 July 2018 - 04:15 PM

Both strains are still under analysis. From my initial look, I believe Animus may be decryptable, but I haven't looked at Aurora yet to see what has changed.

 

Is there a *.key file under AppData for your profile by chance? Just put "%APPDATA%" into Windows Explorer to navigate to that folder quickly.

 

I did not find any .key file, but I did find a suspicious .cfg file. You can find the screenshot here https://imgur.com/a/7vE5Zsg


Belladone

Tell me when the files were encrypted?

 

Hi Amigo,

 

On June 30th !



#12 Amigo-A

Amigo-A

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:34 PM

Posted 11 July 2018 - 08:52 AM

Hi Belladone
 
On your screenshot can see two more text files of ransom notes. 
What is in these files?
 
Send them to me through the service sendspace.com

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#13 Belladone

Belladone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 11 July 2018 - 07:38 PM

 

Hi Belladone
 
On your screenshot can see two more text files of ransom notes. 
What is in these files?
 
Send them to me through the service sendspace.com

 

 

It's exactly the same message, but I uploaded here https://www.sendspace.com/file/1yh6mt and here https://www.sendspace.com/file/bcc1p4 if you wanted to see.



#14 Amigo-A

Amigo-A

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:34 PM

Posted 12 July 2018 - 01:25 AM

Belladone

Thank you.

Up to this point, we have not seen that one note was with different names simultaneously.

 

First there were
HOW_TO_DECRYPT_YOUR_FILES.txt
HOW_TO_DECRYPT_YOUR_FILES2.txt
HOW_TO_DECRYPT_YOUR_FILES3.txt
HOW_TO_DECRYPT_YOUR_FILES4.txt
HOW_TO_DECRYPT_YOUR_FILES5.txt
HOW_TO_DECRYPT_YOUR_FILES6.txt
 
later
#RECOVERY-PC#.txt
 
later
!-GET_MY_FILES-!.txt
 
now
#RECOVERY-PC#.txt
@_RESTORE-FILES_@.txt
!-GET_MY_FILES-!.txt

 

It is possible that they simply were not represented, as now.
I did not know, and I thought that you had several different attacks of encryptors. This now happens relatively often.
 
This encryptor is being analyzed. There are chances of file recovery.
Save your files and all three versions of the notes, if you will re-install the system, not waiting for the results of the analysis.

 

Stay in touch, watch the publications and messages of researchers in this topic.
 
I would advise researchers not to give the decryptor into public access, until it helps everyone who asked for help. It's better to do this privately for a while.

Edited by Amigo-A, 12 July 2018 - 01:48 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#15 Belladone

Belladone
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 12 July 2018 - 09:19 AM

Hi Amigo,

 

Yes, I am already subscribed to the topic, so I will stay in touch. Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users