Update May 2017! A decrypter has been developed for a ransomware virus, known by many as AES-NI ransomware. The infection aims to apply ECB encryption mode with the AES-256 algorithm on the important files of the encrypted computer after which immediately drops a ransom note to ask victims to pay ransom to get them back. If you have become a victim of the AES-NI ransomware infection, we recommend you to read the article below. It will help you remove the virus from your computer and decrypt files encrypted by AES-NI ransomware without having to pay the ransom fee.
|Short Description||Encrypts important documents and other files on computers it infects. Asks for a ransom to be paid.|
|Symptoms||The victim may see a ransom note, named !!! READ THIS – IMPORTANT !!!.txt and the files encrypted with and added .aes-ni file extension.|
|Detection Tool|| See If Your System Has Been Affected by AES-NI |
Malware Removal Tool
|User Experience||Join our forum to Discuss AES-NI.|
AES-NI Ransomware – Quick Background
When it was initially detected, security experts have established that the AES-NI ransomware was spread via a massive campaign, using different methods. The main method by which the virus was reported to spread is via spam e-mails, containing a deceitful message within them, such as the example below:
After infection with AES-NI is inevitable, the ransomware drops multiple different files on the infected computer:
- !!! READ THIS – IMPORTANT !!!.txt
- .key.aes_ni files
- Exectuable files located in the %System Drive%, %AppData% or %Windows% folders.
Then, the AES-NI virus tampers with the Volume Shadow Copies of the infected computer to make restoring the files using them impossible. AES-NI ransomware also may attack the Windows registry editor, more specifically the Run and RunOnce registry sub-keys. After this has been performed, the virus may begin the encryption procedure, which is orchestrated by ECB encryption mode. It replaces blocks of data from the files, to make them no longer openable. After encryption, the files may look like one of the following, depending on the variant of AES-NI ransomware used to infect:
Fortunately, malware researchers have come up with a decrypter for this one. Keep reading this article to learn how to remove AES-NI ransomware and decrypt your files without having to pay the cyber-criminals.
Remove AES-NI Ransomware
Before downloading and installing the decrypter, we advise you to remove this ransomware virus from your computer. The removal process can be conducted via multiple different approaches like the manual and automatic instructions we have created below. In case you lack the experience in malware removal, security experts advise to download anti-malware scanner in order to remove AES-NI automatically.
Manually delete AES-NI from your computer
Note! Substantial notification about the AES-NI threat: Manual removal of AES-NI requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove AES-NI by downloading an advanced anti-malware program
Decrypt AES-NI Encrypted Files
In order to decrypt your files, you need to first back them up, just in case. Then you can download and save the Avast decryptor for AES-NI ransomware uploaded on nomoreransom.com by clicking on the button below:
After downloading the decryptor, allow it to be ran as administrator on your computer, if prompted. When you open the decrypter, click on the Next button in order to get to the specify location step:
When you get to this step, we recommend, choosing the “Add Folder …” option which allows you to select the folders with encrypted files that you are specifically looking forward to decrypt. This will speed up the process:
After doing so, click on Next button again and you will be led to a page which asks you to upload an encrypted and original version of a file:
In case you are struggling to find original copy of an encrypted file, do not worry. You can use the following folders to locate the files from another computer with the same Windows version. The usual Windows folders to look for are the following:
- In your e-mail outbox or inbox.
- On a backup drive, old disk, thumb drives, etc.
After you have located an original and encrypted file by browsing those folders or via any other way, you can now upload them and click on Next and then click Start to begin factorizing the decryption password:
When the procedure has completed, click on the Decrypt button. If your files have been successfully decrypted, you should see the following pop-up: