.aes Encrypted Files Virus – What Is It + How to Remove And Restore Data

.aes Encrypted Files Virus – What Is It + How to Remove And Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to explain what exactly is the ransomware virus using the .aes file extension and how to remove it from your computer plus restore encrypted files having the .aes file extension added to them.

New ransomware infection, using the file extension .aes has been reported by malware researchers to cause various different troubles to victims after it encrypt the files on their computers, possibly using the AES-256 encryption algorithm. The ransomware virus has also been reported to set the .aes file suffix to the encrypted files and drop a ransom note, called Instruction.txt. It’s primary purpose is to get victims to pay a hefty ransom fee in order to get the cyber-crooks to decrypt your files. If your computer has been infected by the .aes files virus, we advise that you read this article to learn how to remove the .aes files virus and how to restore encrypted files without having to pay ransom.

Threat Summary

Name.aes Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer after which demands a ransom payoff to get the files back.
SymptomsFiles are encrypted with added .aes extension. Ransom note is added, called Instruction.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .aes Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .aes Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.aes Files Virus – Update February 2019

February 2019 brings a new ransom note and variant to the .aes Files Virus. Researchers dubbed it the Australian AES ransomware. The ransom note’s message is wrapped up in a GUI interface with red color, which can be previewed from the below image:

The full text from the note reads:

– Why have my files been encrypted? –
You files have been encrypted. This includes many of your important documents and other types of files, database, system files and more. Upon inspecting these encrypted files you may discover that they are using an unbreakable encryption algorithm, which can only be unlocked and decrypted with a special key.
This key can only be obtained though a bitcoin payment listed below. This is a certain way to recover and safely decrypt all your important files to get them back. All files after the amount is paid in full will be decrypted. This offer only has a certain time limit though and it’s your choice whether you want the key permanently destroyed, so your files can not be decrypted at all.
For some background info, this is a simple, fund raiser attempt in the desperate, dark void of the internet. It’s a noble thought intended to be good, as it’s also been thought for years, but it’s job is by doing right by those bad. All funds collected are filtered, then giving to charities that matter, so that as a collective of victims, a bigger reward is given to those who need it. If a small amount, is multiplied by thousands, those small interuptions in those people’s lives, come at a greater cost for those who benifit from it more.
– How to pay for encrypted files? –
Bitcoin is a popular cryptocurrency nowdays, and therefore it’s easy to buy bitcoin. For Australian’s, bitcoin.com.au has a $50 BTC minimum limit.
Therefore, the amount is set at $60 AUD. Go to the bitcoin.com.au website and go through the steps to purchase the bitcoin. Next, use the bitcoin address provided below to send the bitcoins to that address. After that, simply wait for the time to expire and if the bitcoin’s have been paid, the decryption key will be released.

Send $60 worth of bitcoin to this BTC address: [Copy Address] 37XsqpzsJRu9pdi5KQmdZgAYPn3qhxbdDZ
Time left: 47:59:23
Decryption Key: *** [Copy Key] Enter Key: [ ] I have paid the BTC amount to the correct address above.
[Purchase Bitcoin] [Decrypt] —–

However, malware researchers have found a secret in the ransomware’s code. Pressing the combination of the Alt + M keys will display a set of other messages, in a small window box and provide the victim with a free decryption.

This is the content of the messages:

If you found this by accident, nice luck. The decryption key is released before the timer, you can now decrypt your files.
Your files are now being decrypted. DO NOT close the application or your files will be corrupted and unrecoverable. The program will alert upon completion of deletion.

Just wait and all files should get restored back to normal.

The decryption key was never going to be deleted, your files are now able to be unencrypted. To do so click the ‘I have purchased the BTC checkbox’ and using the decryption key, enter it into the textbox, and click decrypt. Watch as your files magically unencrypt. Thanks for the donation.

Times Up!!

The last message displayed above is actually hidden inside the code of the ransomware.

.aes Files Virus – How Does It Infect

The main method of infection used by the .aes files virus is believed to be via spammed e-mail messages similar to the one underneath:

In addition to this, the ransomware virus may also be spread via the malicious files being uploaded online, pretending to be:

  • Setup of a program or game.
  • Driver.
  • Patch.
  • Crackfix.
  • Key Generator.

.aes Files Virus – More Information and Activity

The .aes files ransomware is the type of infection whose primary purpose is to encrypt the files on the infected computer after which demand a ransom payment from victims. To do this, the malware may perform a set of malicious activities on the victim’s computer, starting with downloading it’s payload files, which may be located in the following windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

The activity of the ransomware includes modifying the windows registry editor in order to make it so that the malicious executable runs automatically on system start. These keys are the Run and RunOnce sub-keys in the registry editor, in which value strings are added with instructions to run the files, by giving their location:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

The .aes Files Virus may also check for the location of the compromised computer and whether or not it is running In a virtual environment. If your PC is running on a virtual drive, it may begin to perform various different activities that may lead to it’s self deletion.

In addition to this, the .aes Files Virus may run the following commands as an administrator on the user’s computer:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Among the files dropped by the .aes files virus is the malware’s ransom note, named Instruction.txt. The ransom note aims to convince the victim to pay the ransom. It has the following contents:

“Important information! All files are encrypted with RSA – 2048 and AES – 256 ciphers. Do not worry, you can restore all the files. We guarantee that all files can be safely restored quickly and safely. For instructions on recovering files, contact us. contact information: tiwa1986@mail.ru”

.aes Files Virus – Encryption Process

To encrypt the files on the infected computer, this ransomware infection may use the AES (Advanced Encryption Standard) encryption algorithm whose primary purpose is to encrypt the files on the infected computer with a 256 bit strength. The virus aims to scan for legitimate types of files which are used often, like:

  • Documents.
  • Music.
  • Videos.
  • Recordings.
  • Images.
  • Virtual drive files.

After encryption, the .aes files virus generates a unique decryption mode, whose primary purpose is to be used to decrypt the files. However, the victim must pay a hefty ransom in order to obtain that decryption key.

The files appear like the following after they have been encrypted by .aes ransomware:

Remove .aes Files Virus and Restore Encrypted Files

In order to remove this ransomware virus completely from your computer, we advise you to read the following removal instructions and learn how to remove this infection completely from your computer. They are divided in manual or automatic removal manuals whose primary purpose is to help you to remove the .aes file ransomware based on how much experience you have with malware removal. Be advised that security professionals strongly recommend to download an advanced anti-malware software. Such program aims to help you to automatically remove the .aes ransomware from your computer and will also protect your PC against future ransomware infections and other intrusive software.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share