The ransomware that is a mystery wrapped in an enigma inside a riddle for malware researchers has been released in yet another variant. The latest Locky ransomware does not cheat on its roots and uses the .aesir file extension – the name of the old Norse god Æsir, similar to its other iterations – .thor, .locky and .odin. The ransomware has significantly improved its distribution capabilities and can affect even a higher number of users than its previous version. Users who have been infected by this ransom virus, should not follow the instructions set as their wallpaper and not pay any ransom amount requested by cyber-criminals. Instead, we suggest you read this article to become familiar with Locky ransomware and learn how to remove it, backup your files and try to restore them for free.
Image Source:https://vignette3.wikia.nocookie.net
Threat Summary
| Name |
Aesir Locky |
| Type | Ransomware, File-Encryption Malware |
| Short Description | The Locky .aesir malware iteration encrypts users files and uses a strong combination of AES and RSA ciphers to encrypt the files on the compromised computer asking the user to pay ransom in Bitcoin to get them back. |
| Symptoms | The user infected by the Aesir Locky variant may witness ransom notes and “instructions” in a text file and as the typical Grey/Pink Locky wallpaper. Locky advertises it’s uniquely made decryptor for the specific infected machine on an online Tor-based web page linked in those instructions. |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
| User Experience | Join our forum to Discuss Aesir Locky. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
.aesir Extension Locky Ransomware – More Information About It
First, before encrypting the files, this iteration of the Locky virus has to cause the infection first. This is performed by using a combination of sophisticated tools that allow the malware to spread and infect without the user noticing.
.Aesir Ransomware – Distribution and Infection
The first method by which Locky ransomware’s Aesir variant was discovered was a spam message which contained a malicious e-mail attachment as a .zip archive, named “logs_{random-id}.zip”. The contents of the e-mail were the following:
“Dear {First Name},
We’ve been receiving spam mailout from your address recently. Contents and logging of such messages are in the attachment.
Please look into it and contact us.
Best Regards,
Edith Hancock
ISP Support Tel.: (840) 414-21-61”
Source:Twitter.com
After the user opens the zip file, he will discover a malicious .js JavaScript file which is with a completely random A-Z, 0-9 name, such as the following:
After the user opens the JavaScript file, the .aesir version of Locky malware connects to a C2 server from one of the many distribution sites of Locky:
After this, the malware downloads a .dll file, again with random names in the %Temp% folder, where more files can be dropped. Not only this, but the Aesir Locky malware also drops an “information.cgi” file in it’s POST traffic, most likely containing a variant of it’s ransom note.
Another scenario of infection by this iteration of Locky ransomware has been reported to be via the social media giant Facebook. Malware researcher Catalin Cimpanu has reported at Bleeping Computer that the Locky has begun to spread over spam messages of malicious .svg files sent directly to the user from suspicious accounts. Spam messages, like Photo_2311.svg being directly sent, are not photos, and users are warned not to open them, since they contain the notorious Nemucod downloader used with Nemucod ransomware and may infect your computer with Locky.
Locky .aesir Extension Ransomware – Post-Infection Activity
Similar to the previous .shit, Locky variant, this type of ransomware uses javascript files and may also use .hta files for the infection. After this infection is caused, the malware may begin to execute the encryption procedure.
This procedure alters the core structure of a given file, rendering it to be no longer openable and the AES (Advanced Encryption Standard) encryption algorithm may be applied to do so. Once this algorithm is applied, the file becomes no longer openable and it’s core code looks like the following example:
After the encryption itself, the encrypted files, which are audio files, videos, pictures, databases, documents and other widely used files appear in a non-icon form with changed names and the .aesir file extension:
After the encryption process has completed, the Aesir version of Locky changes the wallpaper with the same language as it has detected based on the installed Windows:
This wallpaper leads to a web-page of Locky Decryptor which requests from users to convert money in BitCoin and make a ransom payoff to download the tailor made for them decryptor:
Locky Aesir Ransomware – Conclusion, Remove, and Restore Files
As a bottom line, this variant of Locky has numerous developments when it comes to it’s spreading, now supporting the ability to infect via malicious browser extensions, Facebook .svg files and new malicious JavaScript. Until experts manage to come up with a solution for Locky ransomware, advises are to remove all the Locky variants from your computer:
- .shit Locky Iteration(see link in article above).
- .thor Locky virus.
- .locky Ransomware.
- .odin Locky iteration.
- .zepto Variant of Locky.
To remove the .aesir Locky variant, we urge you to first backup all the encrypted files because the ransomware uses a combination of AES and RSA ciphers and has developed a unique key for each file and tampering directly with the virus may break the files indefinitely. This is why we recommend if you do not have the experience to follow the Automatic instructions for removal below.
Regarding file decryption, the only reason malware researchers haven’t broken locky so far is that the virus uses a custom programmed decryptor that corresponds to a unique key for each infection. This makes discovering a common decryptor a very difficult task. However, you may want to try and use our alternative solution methods in step “2. Restore files encrypted by Aesir Locky” below. They are not fully effective but they may help restore at least some of your files since the malware may not have deleted them fully.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me:
- Guide 1: How to Remove Aesir Locky from Windows.
- Guide 2: Get rid of Aesir Locky from Mac OS X.
- Guide 3: Remove Aesir Locky from Google Chrome.
- Guide 4: Erase Aesir Locky from Mozilla Firefox.
- Guide 5: Uninstall Aesir Locky from Microsoft Edge.
- Guide 6: Remove Aesir Locky from Safari.
- Guide 7: Eliminate Aesir Locky from Internet Explorer.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
How to Remove Aesir Locky from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove Aesir Locky
Step 2: Uninstall Aesir Locky and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Follow the instructions above and you will successfully uninstall most programs.
Step 3: Clean any registries, created by Aesir Locky on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Aesir Locky there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Get rid of Aesir Locky from Mac OS X.
Step 1: Uninstall Aesir Locky and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove Aesir Locky via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
→ ~/Library/LaunchAgents
/Library/LaunchDaemons
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove Aesir Locky files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as Aesir Locky, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Remove Aesir Locky from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Erase Aesir Locky from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Uninstall Aesir Locky from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Remove Aesir Locky from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Aesir Locky will be removed.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Eliminate Aesir Locky from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
