Remove .aesir Files Virus (New Locky Ransomware) - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove .aesir Files Virus (New Locky Ransomware)

aesir-files-virus-encrypted-locky-ransomware-sensorstechforum-com

The ransomware that is a mystery wrapped in an enigma inside a riddle for malware researchers has been released in yet another variant. The latest Locky ransomware does not cheat on its roots and uses the .aesir file extension – the name of the old Norse god Æsir, similar to its other iterations – .thor, .locky and .odin. The ransomware has significantly improved its distribution capabilities and can affect even a higher number of users than its previous version. Users who have been infected by this ransom virus, should not follow the instructions set as their wallpaper and not pay any ransom amount requested by cyber-criminals. Instead, we suggest you read this article to become familiar with Locky ransomware and learn how to remove it, backup your files and try to restore them for free.

Image Source:http://vignette3.wikia.nocookie.net

Threat Summary

Name

Aesir Locky

TypeRansomware, File-Encryption Malware
Short DescriptionThe Locky .aesir malware iteration encrypts users files and uses a strong combination of AES and RSA ciphers to encrypt the files on the compromised computer asking the user to pay ransom in Bitcoin to get them back.
SymptomsThe user infected by the Aesir Locky variant may witness ransom notes and “instructions” in a text file and as the typical Grey/Pink Locky wallpaper. Locky advertises it’s uniquely made decryptor for the specific infected machine on an online Tor-based web page linked in those instructions.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Aesir Locky

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Aesir Locky.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.aesir Extension Locky Ransomware – More Information About It

First, before encrypting the files, this iteration of the Locky virus has to cause the infection first. This is performed by using a combination of sophisticated tools that allow the malware to spread and infect without the user noticing.

.Aesir Ransomware – Distribution and Infection

The first method by which Locky ransomware’s Aesir variant was discovered was a spam message which contained a malicious e-mail attachment as a .zip archive, named “logs_{random-id}.zip”. The contents of the e-mail were the following:

“Dear {First Name},
We’ve been receiving spam mailout from your address recently. Contents and logging of such messages are in the attachment.
Please look into it and contact us.
Best Regards,
Edith Hancock
ISP Support Tel.: (840) 414-21-61”

Source:Twitter.com

After the user opens the zip file, he will discover a malicious .js JavaScript file which is with a completely random A-Z, 0-9 name, such as the following:

javascript-file-locky-aesir-file-infection-sensorstechforum-malware

After the user opens the JavaScript file, the .aesir version of Locky malware connects to a C2 server from one of the many distribution sites of Locky:

locky-distribution-sties-malwaretracker-source-sensorstechforum

After this, the malware downloads a .dll file, again with random names in the %Temp% folder, where more files can be dropped. Not only this, but the Aesir Locky malware also drops an “information.cgi” file in it’s POST traffic, most likely containing a variant of it’s ransom note.

Another scenario of infection by this iteration of Locky ransomware has been reported to be via the social media giant Facebook. Malware researcher Catalin Cimpanu has reported at Bleeping Computer that the Locky has begun to spread over spam messages of malicious .svg files sent directly to the user from suspicious accounts. Spam messages, like Photo_2311.svg being directly sent, are not photos, and users are warned not to open them, since they contain the notorious Nemucod downloader used with Nemucod ransomware and may infect your computer with Locky.

Locky .aesir Extension Ransomware – Post-Infection Activity

Similar to the previous .shit, Locky variant, this type of ransomware uses javascript files and may also use .hta files for the infection. After this infection is caused, the malware may begin to execute the encryption procedure.

This procedure alters the core structure of a given file, rendering it to be no longer openable and the AES (Advanced Encryption Standard) encryption algorithm may be applied to do so. Once this algorithm is applied, the file becomes no longer openable and it’s core code looks like the following example:

locky-ransomware-unencrypted-versus-encrypted-sensorstechforum

After the encryption itself, the encrypted files, which are audio files, videos, pictures, databases, documents and other widely used files appear in a non-icon form with changed names and the .aesir file extension:

aesir-ransomware-file-extension-malware-sensorstechforum

After the encryption process has completed, the Aesir version of Locky changes the wallpaper with the same language as it has detected based on the installed Windows:

stf-bart-ransomware-perl-perl-extension-ransom-note-locky-copycat

This wallpaper leads to a web-page of Locky Decryptor which requests from users to convert money in BitCoin and make a ransom payoff to download the tailor made for them decryptor:

locky-aesir-decryptor-web-page-sensorstechforum

Locky Aesir Ransomware – Conclusion, Remove, and Restore Files

As a bottom line, this variant of Locky has numerous developments when it comes to it’s spreading, now supporting the ability to infect via malicious browser extensions, Facebook .svg files and new malicious JavaScript. Until experts manage to come up with a solution for Locky ransomware, advises are to remove all the Locky variants from your computer:

To remove the .aesir Locky variant, we urge you to first backup all the encrypted files because the ransomware uses a combination of AES and RSA ciphers and has developed a unique key for each file and tampering directly with the virus may break the files indefinitely. This is why we recommend if you do not have the experience to follow the Automatic instructions for removal below.

Regarding file decryption, the only reason malware researchers haven’t broken locky so far is that the virus uses a custom programmed decryptor that corresponds to a unique key for each infection. This makes discovering a common decryptor a very difficult task. However, you may want to try and use our alternative solution methods in step “2. Restore files encrypted by Aesir Locky” below. They are not fully effective but they may help restore at least some of your files since the malware may not have deleted them fully.

Manually delete Aesir Locky from your computer

Note! Substantial notification about the Aesir Locky threat: Manual removal of Aesir Locky requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Aesir Locky files and objects
2.Find malicious files created by Aesir Locky on your PC

Automatically remove Aesir Locky by downloading an advanced anti-malware program

1. Remove Aesir Locky with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Aesir Locky
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.