.AYE Files Ransomware – How to Remove It
THREAT REMOVAL

.AYE Files Ransomware – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This article has been created in order to explain to you what are .AYE files, how to remove it and how you can try and restore encrypted files by it.

Yet another ransomware virus, dubbed .AYE ransomware was detected by security experts. The virus aims to append the .AYE file extension to the files encrypted by it and then ask victims t contact sebekgrime@tutanota.com in order to be able to restore files, encrypted by it. The ransomware is believed to be a variant of Dharma ransomware virus family. The ransomware may also drop the Dharma/CrySiS ransom note which contains instructions on how and where to pay BitCoin for access to the encrypted files. If your computer has been infected by the .AYE varint of Dharma ransomware, we recommend that you read this article as it contains more information about it and shows methods on how to remove it and try and recover your files.

Threat Summary

Name.AYE Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and then append the .AYE file extension to them to extort you to pay ransom to get them back.
SymptomsFiles are encrypted with the added .AYE extension and the ransom note of Dharma ransomware is dropped on the victimized machine.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .AYE Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .AYE Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.AYE Files Virus – Distribution Methods

There is more than one way via which the .AYE ransomware propagates. The virus may be spread via e-mail attachments that may be the following file types:

→ .docx, .docm, .PDF, .exe, .js, .vbs, .bat

The files sent via e-mail may often pretend to be malicious files that seem to appear as if they are documents, like invoices, receipts or other important files sent from big companies, banks or even work.

In addition to via e-mail, the .AYE file ransomware may also be spread via multiple different types of passive methods as well. The infection file of this ransomware virus may lay patiently waiting for victims to download it on websites that have been compromised. There, the files often pretend to be:

  • Portable programs.
  • Cracks.
  • License activators.
  • Patches.
  • Fixes.
  • Key Generators.

.AYE Files Virus – More Information

Once your computer becomes infected by the .AYE files virus, the files of this ransomware may immediately be dropped on your drive. The main file of .AYE ransomware was recently reported in VirusTotal to have the following identificators:

→ SHA-256:3145ce9af8f1e44e2c0f0a9123f8201a3aab013c7bfaf1f120fa4d7e50a67259
File size:2.04 MB

The .AYE file ransomware may also drop it’s ransom note file, which looks like the image below shows:

Furthermore, the .AYE file ransomware may also perform the following malicious activities on your computer after infection:

  • Create mutexes.
  • Check if it’s running on a real PC or a virtual drive.
  • Self-update.
  • Connect to the cyber-criminals’ C&C servers to relay information.
  • Obtain your IP address.
  • Obtain your language and location.

In addition to this, the ransomware virus may also modify the following Windows registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this, the ransomware virus may also perform other activities on the infected computers, such as delete the backed up shadow copies from them, making it next to impossible to recover the files using this Windows Backup and Recovery. To do this, the .AYE ransomware may execute the following Windows command:

→ vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

.AYE Ransomware – Encryption Process

The encryption of .AYE ransomware does not differ much with other Dharma virus variants. The malware scans for the following file types:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

When the virus has finished scanning for files, it may use an advanced encryption algorithm to lock the files and add the .AYE extension, making the files to start appearing like the following:

Remove .AYE Ransomware and Try Restoring Your Files

If your computer has been infected by the .AYE file ransomware, we would stronlgy recommend that you try removing it, using the instructions underneath this article. They have been made with the main goal to help you delete this virus either manually or automatically (recommended). For maximum effectiveness, security experts strongly advise users to scan computers with anti-malware software and use it to remove the virus automatically and safely.

If you want to restore files, encrypted by this ransomware, we suggest that you follow the file recovery methods underneath in the “Try to restore” step. They come with no guarantee for file recovery, but with their aid, you may be able to retrieve at least some of your information.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...