AEUR ransomware purpose is to make one’s files inaccessible using encryption algorithms which are typically used to secure military-grade secrets. The virus locks the very first 150 KB of data in each file, which corrupts the file quickly then jumps onto next file in the queue. This method, however, allows repairing certain file formats with some data loss at the beginning of the file (examples include audio or video files). You can find a more detailed tutorial on repairing these files in this guide. AEUR decryption tool requires unique private key to function, and criminals provide the pricing of both in the _readme.txt note. They state that if the victim writes to them within 72 hours, the price will be $490. If the victim writes and pays later, the price will be $980. The virus’ developers know about the infection timestamp because the virus saves it on the victim’s computer and also sends this information to their Command&Control server. The attackers won’t accept Euros or Dollars – they will ask to purchase Bitcoins equivalent the amount and transfer it to the criminals’ wallet. This transaction type helps to keep them anonymous. To convince the victim pay sooner, they also recommend sending one small encrypted file to test the decryption tool first, promising to respond with a clean file version. Our team experts, as well as other reputable cybersecurity-related sources and FBI DO NOT RECOMMEND paying the ransom due to the following reasons:
Paying the criminals can do nothing as there are no assurance that the attackers will provide you with decryption tools after receiving your money.In some countries, transferring ransom payment is considered illegal.Ransomware operators collect incredible amounts of money each year – their income is calculated in millions. This attracts other people to join and consequently leads to more and more disastrous cyber attacks each year. Please, do not contribute to the growth of this by paying the ransom!STOP/DJVU variants like AEUR virus install information-stealer dubbed AZORULT. The information collected by this Trojan can be used to blackmail you further. Don’t waste your money because these sneaky crooks will try to rip you off financially as much as possible!
REPAIR VIRUS DAMAGE
Details about the ransomware damage
AEUR ransomware infection can be recognised quite easily by experienced cybersecurity experts because this virus runs a fake Windows update prompt at the beginning of the attack. However, regular computer users might not notice anything suspicious as this prompt can be easily mistaken for a legitimate operating system update. The crooks use this method to conceal their attack, trying to convince the victim that system slowdown is caused by installation of required system components. At the same time, the whole computer data corruption procedure begins as an executable named by 4 random characters such as B5DH.exe starts to scan computer folders and encrypts files stored in them. The malware then launches Command Prompt to run the following command and delete Volume Shadow Copies from the system: vssadmin.exe Delete Shadows /All /Quiet Without Volume Shadow Copies that Windows creates as part of a system restore point, there is no way to recover files using the said System Restore Points. In addition, the virus attempts to isolate the victim from attack-related information online by adding a list of restricted domains to Windows HOSTS file. By mapping these domains to localhost IP, the virus ensures that the victim will run into DNS_PROBE_FINISHED_NXDOMAIN error in web browser instead of opening the website the user tries to reach. You may want to learn how to reset HOSTS file back to default. After the attack, the ransomware victim might also find other suspicious files on the computer. Some of the dropped files are related to information that helps to identify the victim. For example, one of these files is called bowsakkdestx.txt (you can find victim’s public encryption key and personal ID string in it) and PersonalID.txt (victim’s ID only). It is important to mention something that ransomware authors didn’t talk about in the ransom note – the ransomware drops information-stealing Trojan called AZORULT. It can be used to remotely access victim’s computer and download, delete, list victim’s files, drop more malware, steal login credentials, browser-saved data (passwords, browsing history), Steam, Telegram login details, cryptocurrency wallets and more. Needless to say, we strongly recommend you to remove AEUR ransomware virus from your computer as fast as you can. We have prepared a guide for you to follow which you can find down below. First, you will need to use professional antivirus software of your choice (we highly recommend VB100-certified program INTEGO Antivirus) for malware removal. Additionally, we recommend downloading RESTORO to repair virus damage on Windows OS files.
Ransomware Summary
REPAIR VIRUS DAMAGE
How ransomware-type viruses are distributed
Viruses that come from STOP/DJVU family, including AEUR ransomware, are generally distributed in a form of software cracks. The criminals disguise malicious code into tools that are typically used to illegally activate paid software licenses. Some victims infected with STOP/DJVU versions reported getting infected after trying to obtain these legitimate programs illegally:
Adobe Photoshop;Corel Draw;Cubase;Adobe Illustrator;Windows activation tools such as KMSPico.
We strongly recommend you to avoid visiting such unconfirmed software download sources and avoid getting software from torrent downloads altogether. By using pirated programs, you not only risk infecting your computer with severe malware, but also infringe copyrights of legitimate software developers and can get fined by your local authorities. Even if it seems that the software installation went smoothly, you can already be infected with Trojan, cryptocurrency miner or another piece of malware that operates silently and doesn’t show any noticeable signs of existence. Besides, it can take months until you notice presence of such programs, and the damage will be enormous. Ransomware, just like other forms of malware are also actively distributed using old yet very popular technique – malicious email spam. Cybercriminals tend to inject scripts into various document formats, such as DOCX, XLS, PDF or others and opening such file can activate it. The script then proceeds to download threats from specific domains and open them on your computer. Beware that criminals tend to disguise viruses under legitimate-looking document names, such as invoice, payment information, parcel delivery details, order summaries and similar. Be vigilant and avoid clicking on such email attachments or links included if you can spot one of the following red flags:
You did not expect to receive the email at all;The message tone seems urgent and invites you to review attached contents immediately;The sender pretends to be someone from a reputable company, yet the email contains grammar errors and logos seem off;Spoofed email address;Your email box provider marks the letter as spam.
Lastly, victims of AEUR ransomware should know that ZORAB malware operators hide their virus in fake STOP/DJVU decryption tools online. Opening these will get your files double-encrypted. Remember – if an official decryption tool appears, you will find references to it on all the most reputable cybersecurity news websites and not some suspicious sites.
Remove AEUR ransomware virus and decrypt your files
It is best to remove AEUR ransomware virus without any hesitation – the sooner, the better. This way, you will prevent any further damage to your computer and your privacy. We recommend a two-step rescue plan which should start with usage of a robust security software to eliminate malware from your system. We strongly recommend INTEGO Antivirus to get rid of malware. Next, we suggest scanning with RESTORO to identify computer issues and repair virus damage to Windows OS files. Following a successful AEUR virus removal, take these post-infection actions:
Report cybercrime incident to your local authority responsible for handling such cases. You can find some references below the article.Use data backups to restore files (if you have them).Try instructions to decrypt or repair files affected by STOP/DJVU versions.We also recommend changing your passwords, especially for sites that you chose to save login credentials for in your browser.
OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove AEUR ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove AEUR ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt AEUR files
Fix and open large AEUR files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. AEUR ransomware virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt AEUR files, follow the given tutorial.
Meanings of decryptor’s messages
The AEUR decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your AEUR extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of AEUR ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.
