Cybersecurity researchers have identified a new ransomware family dubbed Aur0ra. This malware follows the increasingly common dual-extortion model, where it not only encrypts the victim's files but also claims to have exfiltrated sensitive data to pressure victims into paying the ransom. A notable characteristic of Aur0ra is its decision not to rename or change the extension of encrypted files. This makes a visual inspection of the file system deceptive, as files appear normal but are rendered unusable. After encryption, a ransom note named !!!README!!!DO_NOT_DELETE.txt is dropped, instructing the victim to contact the attackers via a Tor website. The ransomware appears to be targeting a wide range of industries across North America, Europe, and Asia.
Aur0ra represents a continuation of the evolution in ransomware-as-a-service (RaaS) TTPs. The core components of its operation are:
.locked or .encrypted extension. This could delay incident response and allow the malware to encrypt more of the network.The wide range of targeted industries suggests an opportunistic campaign rather than a highly targeted one, which is typical for many RaaS affiliates.
The primary technique is T1486 - Data Encrypted for Impact. The unique implementation detail is the lack of file renaming. This means that detection based on file extension changes will fail. Instead, detection must rely on other indicators.
Other likely TTPs in the Aur0ra attack chain include:
T1071.001 - Web Protocols: The use of a Tor-based website for communication falls under this technique for command and control.T1567 - Exfiltration Over Web Service: To support the dual-extortion claim, the attackers must have exfiltrated data, likely using common web services or cloud storage.T1083 - File and Directory Discovery: Before encryption, the malware must scan the file system to identify target files, likely prioritizing documents, images, and databases while avoiding system files.T1490 - Inhibit System Recovery: Like most modern ransomware, Aur0ra likely attempts to delete Volume Shadow Copies or other backups to prevent easy recovery.The decision not to rename files is a tactical choice. While it makes initial visual identification harder, it also means that automated re-imaging solutions might miss encrypted data if not configured to verify file integrity. It forces a more thorough, and thus more costly, recovery process.
The impact of an Aur0ra attack is significant. Businesses face immediate operational disruption due to encrypted files. The lack of file renaming can complicate the recovery process, as it's harder to determine the scope of the encryption without file integrity checking tools. The threat of a data leak adds another layer of pressure, potentially leading to regulatory fines (e.g., under GDPR or CCPA), reputational damage, and loss of customer trust. The cost of incident response, recovery, and potential ransom payment can be crippling for small and medium-sized businesses.
file_name!!!README!!!DO_NOT_DELETE.txtSecurity teams can hunt for Aur0ra and similar ransomware. The following patterns could indicate related activity:
file_name!!!README!!!DO_NOT_DELETE.txtprocess_namevssadmin.exevssadmin.exe delete shadows which is used to prevent recovery.command_line_pattern*\Tor\tor.exelog_sourceFile I/O Monitoring!!!README!!!DO_NOT_DELETE.txt is also a high-fidelity detection method.passwords.docx or financials.xlsx on file shares. Monitor these files for any read or write access. Since legitimate users shouldn't be accessing them, any activity is highly suspicious and could be an early warning of a ransomware process scanning for files.New report confirms Aur0ra ransomware explicitly deletes Volume Shadow Copies using `vssadmin.exe` and provides specific sources for technical details.
A new report from CYFIRMA confirms that the Aur0ra ransomware explicitly deletes Volume Shadow Copies using the command vssadmin.exe Delete Shadows /all /quiet to hinder recovery efforts. This provides a more concrete indicator for detection and response. The report also reiterates the dual-extortion model, the stealthy encryption without filename changes, and its targeting of Windows systems across global industries. This update reinforces the technical understanding of Aur0ra's defense evasion tactics.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.