.aes_ni_0day AES-NI File Virus – Restore Files (Update April 2017) - How to, Technology and PC Security Forum | SensorsTechForum.com

.aes_ni_0day AES-NI File Virus – Restore Files (Update April 2017)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Article created to help you remove the special version of the AES-NI ransomware virus, called NSA EXPLPOIT EDITION and restore .aes_ni_0day files.

A new variant of the AES-NI ransomware infection has come out in the wild. The ransomware uses multiple evasion tactics to infect and encrypt the files on the computers infected by it. The virus then drops a ransom note file, named !!! READ THIS – IMPORTANT !!!.txt in which demands are made to purchase the decryption keys at a high price. In case you have become a victim of the new version of AES-NI ransomware, recommendations are to read this article and follow it’s instructions and steps.

Threat Summary



Short DescriptionEncrypts important documents and other files on computers it infects. Asks for a ransom to be paid.
SymptomsThe victim may see a ransom note, named !!! READ THIS – IMPORTANT !!!.txt and the files encrypted with and added .aes-ni file extension.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by AES-NI


Malware Removal Tool

User ExperienceJoin our forum to Discuss AES-NI.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

AES-NI Ransomware – Infection Process

Infection via AES-NI ransomware’s special edition is conducted in a very similar manner to the infection process of the older version. The ransomware may still utilize infection techniques that include sending fake e-mails that contain malicious e-mail attachments. These e-mails may contain different types of files added as attachments:

  • VBS script file.
  • JavaScript files.
  • Files that are executable (.exe).
  • Files that are Microsoft Office or Adobe .pdf documents and have malicious macros embedded within them.

The content of the spam messages is usually of a deceptive nature, meaning that they pretend to be legitimate notifications of a purchase, invoice, complaint or some important topic, to convince victims into opening the malicious attachments or clicking on the malicious link posted. Example of such e-mails can be seen below:

Besides e-mail, cyber-criminals who are behind the AES-NI infection may authorize themselves to upload malicious files on file-sharing websites, like torrent sites, for example. Such files may be presented to the user as key generators to activate a license for a given program or a crack or patch for different software.

In addition to those methods of infection, other methods may include the usage of fake updates, fake installers or game patches, software license activators and even fake key generators, all of which may be uploaded on various websites.

Once the user’s computer becomes infected via one of the above mentioned ways, the AES-NI ransomware drops It’s payload. It consists of the following types of files:

  • !!! READ THIS – IMPORTANT !!!.txt
  • .key.aes_ni_0day files
  • Exectuable files located in the %System Drive%, %AppData% or %Windows% folders.

.Aes_ni_0day File Virus – Infection Activity

The new version of the AES-NI ransomware may begin to tamper with the Windows Registry by adding custom value strings with data in them to run the malicious executables of the AES-NI ransomware on system start up. For this, the following keys may be targeted:


Other activity of the AES-NI ransomware includes a check which the virus makes that returns information whether or not the infected computer is from the former Soviet Union countries. If so, the ransomware infection begins switch off and self-deletes after this.

But this is not all of the activity of the AES-NI infection. If the virus continues being active, it will inject a malicious code into the svchost.exe Windows process. After this, the virus may run an obfuscated command via Windows Command prompt that deletes the shadow volume copies on the infected computer:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The Encryption Process of .aes_ni_0day Virus

For the encryption, AES-NI targets the following files:

  • Documents.
  • Music.
  • Videos.
  • Recordings.
  • Images.
  • Database files.

The virus is careful to skip system or executable files of the following format, since they may damage the operating system:

.dll, .exe, .lnk, .mui, .sys

The encryption process of the virus is conducted in what is known in the trade as ECB mode. It applies an AES – 256 encryption cipher on the files, replacing blocks of data with data from the cipher. Once this is done, asymmetric key is generated and sent to the cyber-criminals who are behind the ransomware operation. In addition to the AES keys, RSA keys are also appended on each file or set of files and they are unique for each of them. These keys are also sent to the crooks. The generated keys are in files, ending with .key.aes_ni_0day.

After encryption by AES-NI’s special version has been completed, the virus adds the suffix .aes_ni_0day and the files no longer appear the same:

Then, AES-NI may open the !!! READ THIS – IMPORTANT !!!.txt note which has the following ransom demands:

==========================# aes-ni ransomware #==========================
█████╗ ██████╗██████╗ ███╗ ██╗ ██╗
██╔═██╗██╔═══╝██╔═══╝ ████╗ ██║ ██║
██████║█████╗ ██████╗███╗██╔██╗██║ ██║
██╔═██║██╔══╝ ╚═══██║╚══╝██║╚████║ ██║
██║ ██║██████╗██████║ ██║ ╚███║ ██║
╚═╝ ╚═╝╚═════╝╚═════╝ ╚═╝ ╚══╝ ╚═╝
INTRO: If you are reading it, your server was attacked with NSA exploits.
Make World Safe Again.
SORRY! Your files are encrypted.
File contents are encrypted with random key (AES-256 bit; ECB mode).
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
[email protected]
[email protected]
[email protected]
IMPORTANT: In some cases malware researchers can block our e-mails.
If you did not receive any answer on e-mail in 48 hours,
please do not panic and write to BitMsg (https://bitmsg.me) address:
or create topic on https://www.bleepingcomputer.com/ and we will find you there.
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
You MUST refer this ID in your message:
Also you MUST send all “.key.aes_ni_0day” files from C:\ProgramData if there are any.
=====# aes-ni ransomware #=====

Source: id-ransomware-blogspot.bg

Remove .aes_ni_0day Virus and Get Your Data Back

Before removing the April 2017 special version of AES-NI ransomware, we advise you to backup the .key and .aes_ni_0day files.

Then for the removal process, we strongly recommend following the instructions below. They are carefully designed to help isolate the threat before removing it manually or automatically. In case you are experiencing difficulties in removing AES-NI ransomware manually, security experts always advise using an advanced anti-malware program which aims to ensure that the removal process is swift and effective and your computer is protected against future threats as well.

If you want to restore files, encrypted by the AES-NI ransomware virus, we strongly urge you to see the alternative methods for restoring your files, at least until free decryption software for the ransomware infection is developed. They are located in step “2. Restore files encrypted by AES-NI” below and you may recover at least some of the important files by giving them a try.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share