{
	"id": "0adf26e6-0758-4191-9e87-c662c4313fde",
	"created_at": "2026-04-06T00:16:05.406893Z",
	"updated_at": "2026-04-10T13:12:30.95054Z",
	"deleted_at": null,
	"sha1_hash": "5a8a301247808b6af8619501cd0cc9f61c8e3d23",
	"title": "A LockerGoga primer and decrypters for Mira and Aurora ransomwares - Help Net Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 144851,
	"plain_text": "A LockerGoga primer and decrypters for Mira and Aurora\r\nransomwares - Help Net Security\r\nBy Zeljka Zorz\r\nPublished: 2019-04-02 · Archived: 2026-04-05 15:24:23 UTC\r\nThere’s some good news for victims of the Mira and Aurora ransomwares: free decrypters have been made\r\navailable.\r\nNew decrypters\r\nF-Secure has released a decrypter for victims of the Mira ransomware. (You’ll known you’ve been hit if the\r\nencrypted files sport the .mira extension.)\r\n“Most often, decryption can be very challenging because of missing keys that are needed for decryption. However,\r\nin the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the encrypted\r\nfile itself,” the company explained.\r\nThe tool can be found here, and instructions on how to use it here.\r\nhttps://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/\r\nPage 1 of 2\n\nBefore running the tool, users need to remove the ransomware from the computer, lest it encrypt the decrypted\r\nfiles again.\r\n“It is important to run the tool on the specific computer where the files were originally encrypted. This is because\r\nthe recovery key for each files are calculated from the computer where the files got encrypted,” the company\r\nadded.\r\nEmsisoft has released a decrypter for victims of the Aurora ransomware, aka Zorro, Desu, or AnimusLocker.\r\n(You’ll known you’ve been hit if the encrypted files sport the .Aurora, .aurora, .animus, .ONI, .Nano, .desu or\r\n.cryptoid extension.)\r\nBy the by, Michael Gillespie, security researcher and the creator of ID Ransomware, the online tool that\r\nransomware victims can use to identify the specific malware they’ve been hit with, has also released a decrypter\r\nfor the Aurora ransomware earlier this year.\r\nAbout LockerGoga\r\nUnlike Mira and Aurora, the LockerGoga ransomware seems to have been flinged at specific, high-profile targets.\r\nThe name became widely known after the recent Norsk Hydro attack. The company did not name the ransomware\r\nthat hit them, but the Norwegian National Security Authority confirmed it is LockerGoga.\r\nThe Center for Internet Security has released a primer containing the most current information about the\r\nransomware and known indicators of compromise.\r\n“LockerGoga reportedly targets other sectors, although a disproportionate amount of victims reside in the\r\nindustrial/manufacturing sector,” the organization pointed out. Known recent victims include French engineering\r\nconsulting firm Altran and U.S. chemical companies Hexion and MPM Holdings (Momentive).\r\nAt this time, the initial intrusion vector is unknown, they say, but it seems that the ransomware is unable to spread\r\nitself to other computers on the network.\r\nThey also pointed out that, in some cases, the victims won’t even be able to tell they’ve been targeted with this\r\nspecific malware.\r\n“Cisco’s Talos group observed that some LockerGoga variants forcibly log victims off their devices. They are then\r\nunable to log back onto the device, which also means they may not see the ransom note. Furthermore, in some\r\ncases the network interface on each system was disabled and the local user account passwords were changed. This\r\ncan cause confusion on the victim’s end as to their issue’s root cause,” they noted.\r\n“If this is an intentional feature, then it is possible that the CTAs have both financial and destructive motivations.”\r\nTheir advice for organizations is to make regular backups of their important files and make sure that they are able\r\nto recover from them.\r\nSource: https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/\r\nhttps://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/"
	],
	"report_names": [
		"aurora-decrypter-mira-decrypter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434565,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a8a301247808b6af8619501cd0cc9f61c8e3d23.pdf",
		"text": "https://archive.orkl.eu/5a8a301247808b6af8619501cd0cc9f61c8e3d23.txt",
		"img": "https://archive.orkl.eu/5a8a301247808b6af8619501cd0cc9f61c8e3d23.jpg"
	}
}