Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.aes_ni_0day AES-NI File Virus – Restore Files (Update April 2017)

Article created to help you remove the special version of the AES-NI ransomware virus, called NSA EXPLPOIT EDITION and restore .aes_ni_0day files.

A new variant of the AES-NI ransomware infection has come out in the wild. The ransomware uses multiple evasion tactics to infect and encrypt the files on the computers infected by it. The virus then drops a ransom note file, named !!! READ THIS – IMPORTANT !!!.txt in which demands are made to purchase the decryption keys at a high price. In case you have become a victim of the new version of AES-NI ransomware, recommendations are to read this article and follow it’s instructions and steps.

Threat Summary

Name

AES-NI

Type Ransomware
Short Description Encrypts important documents and other files on computers it infects. Asks for a ransom to be paid.
Symptoms The victim may see a ransom note, named !!! READ THIS – IMPORTANT !!!.txt and the files encrypted with and added .aes-ni file extension.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by AES-NI

Download

Malware Removal Tool

User Experience Join our forum to Discuss AES-NI.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

AES-NI Ransomware – Infection Process

Infection via AES-NI ransomware’s special edition is conducted in a very similar manner to the infection process of the older version. The ransomware may still utilize infection techniques that include sending fake e-mails that contain malicious e-mail attachments. These e-mails may contain different types of files added as attachments:

  • VBS script file.
  • JavaScript files.
  • Files that are executable (.exe).
  • Files that are Microsoft Office or Adobe .pdf documents and have malicious macros embedded within them.

The content of the spam messages is usually of a deceptive nature, meaning that they pretend to be legitimate notifications of a purchase, invoice, complaint or some important topic, to convince victims into opening the malicious attachments or clicking on the malicious link posted. Example of such e-mails can be seen below:

Besides e-mail, cyber-criminals who are behind the AES-NI infection may authorize themselves to upload malicious files on file-sharing websites, like torrent sites, for example. Such files may be presented to the user as key generators to activate a license for a given program or a crack or patch for different software.

In addition to those methods of infection, other methods may include the usage of fake updates, fake installers or game patches, software license activators and even fake key generators, all of which may be uploaded on various websites.

Once the user’s computer becomes infected via one of the above mentioned ways, the AES-NI ransomware drops It’s payload. It consists of the following types of files:

  • !!! READ THIS – IMPORTANT !!!.txt
  • .key.aes_ni_0day files
  • Exectuable files located in the %System Drive%, %AppData% or %Windows% folders.

.Aes_ni_0day File Virus – Infection Activity

The new version of the AES-NI ransomware may begin to tamper with the Windows Registry by adding custom value strings with data in them to run the malicious executables of the AES-NI ransomware on system start up. For this, the following keys may be targeted:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other activity of the AES-NI ransomware includes a check which the virus makes that returns information whether or not the infected computer is from the former Soviet Union countries. If so, the ransomware infection begins switch off and self-deletes after this.

But this is not all of the activity of the AES-NI infection. If the virus continues being active, it will inject a malicious code into the svchost.exe Windows process. After this, the virus may run an obfuscated command via Windows Command prompt that deletes the shadow volume copies on the infected computer:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The Encryption Process of .aes_ni_0day Virus

For the encryption, AES-NI targets the following files:

  • Documents.
  • Music.
  • Videos.
  • Recordings.
  • Images.
  • Database files.

The virus is careful to skip system or executable files of the following format, since they may damage the operating system:

.dll, .exe, .lnk, .mui, .sys

The encryption process of the virus is conducted in what is known in the trade as ECB mode. It applies an AES – 256 encryption cipher on the files, replacing blocks of data with data from the cipher. Once this is done, asymmetric key is generated and sent to the cyber-criminals who are behind the ransomware operation. In addition to the AES keys, RSA keys are also appended on each file or set of files and they are unique for each of them. These keys are also sent to the crooks. The generated keys are in files, ending with .key.aes_ni_0day.

After encryption by AES-NI’s special version has been completed, the virus adds the suffix .aes_ni_0day and the files no longer appear the same:

Then, AES-NI may open the !!! READ THIS – IMPORTANT !!!.txt note which has the following ransom demands:

==========================# aes-ni ransomware #==========================
█████╗ ██████╗██████╗ ███╗ ██╗ ██╗
██╔═██╗██╔═══╝██╔═══╝ ████╗ ██║ ██║
██████║█████╗ ██████╗███╗██╔██╗██║ ██║
██╔═██║██╔══╝ ╚═══██║╚══╝██║╚████║ ██║
██║ ██║██████╗██████║ ██║ ╚███║ ██║
╚═╝ ╚═╝╚═════╝╚═════╝ ╚═╝ ╚══╝ ╚═╝
SPECIAL VERSION: NSA EXPLOIT EDITION
INTRO: If you are reading it, your server was attacked with NSA exploits.
Make World Safe Again.
SORRY! Your files are encrypted.
File contents are encrypted with random key (AES-256 bit; ECB mode).
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
[email protected]
[email protected]
[email protected]
IMPORTANT: In some cases malware researchers can block our e-mails.
If you did not receive any answer on e-mail in 48 hours,
please do not panic and write to BitMsg (https://bitmsg.me) address:
BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN
or create topic on https://www.bleepingcomputer.com/ and we will find you there.
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
You MUST refer this ID in your message:
RECOVERI2#97B0C34050C1C00F7A2977CB25******
Also you MUST send all “.key.aes_ni_0day” files from C:\ProgramData if there are any.
=====# aes-ni ransomware #=====
*****************************

Source: id-ransomware-blogspot.bg

Remove .aes_ni_0day Virus and Get Your Data Back

Before removing the April 2017 special version of AES-NI ransomware, we advise you to backup the .key and .aes_ni_0day files.

Then for the removal process, we strongly recommend following the instructions below. They are carefully designed to help isolate the threat before removing it manually or automatically. In case you are experiencing difficulties in removing AES-NI ransomware manually, security experts always advise using an advanced anti-malware program which aims to ensure that the removal process is swift and effective and your computer is protected against future threats as well.

If you want to restore files, encrypted by the AES-NI ransomware virus, we strongly urge you to see the alternative methods for restoring your files, at least until free decryption software for the ransomware infection is developed. They are located in step “2. Restore files encrypted by AES-NI” below and you may recover at least some of the important files by giving them a try.

Manually delete AES-NI from your computer

Note! Substantial notification about the AES-NI threat: Manual removal of AES-NI requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove AES-NI files and objects
2.Find malicious files created by AES-NI on your PC

Automatically remove AES-NI by downloading an advanced anti-malware program

1. Remove AES-NI with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by AES-NI
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.