AES-NI Ransomware

AES-NI Ransomware Description

At the time of writing, the AES-NI Ransomware is the latest release of the '.aes256 File Extension' Ransomware.The AES-NI Ransomware is an encryption Trojan that is programmed to encrypt the users' data and invite them to pay a ransom for the appropriate decryption software and key. The AES-NI Ransomware was reported on April 12th, 2017, and the following research confirmed it is based on the '.aes256 File Extension' Ransomware. Also, the AES-NI Ransomware appears to be the work of Russian programmers who offer free decryption to users based in Russia, Belarus, Moldova and a few other countries in the region. The AES-NI Ransomware may be delivered to users via spam emails and come in two flavors. Cyber security researchers report that the AES-NI Ransomware is known to feature the slogans 'SPECIAL VERSION: NSA EXPLOIT EDITION' and 'April Edition' and use four file markers (at the time of writing) for encrypting data.

Everyone should be Considered a Potential Target for the AES-NI Ransomware

The AES-NI Ransomware is deemed as a credible threat to corporate databases, Web servers and home computers alike. Analysis revealed that the AES-NI Ransomware takes advantage of the AES and RSA cryptographic technologies to encipher data securely. When the AES-NI Ransomware invades the system, it sends a report to its 'Command and Control' server that includes the victim's IP address, OS version, software configuration, keyboard layout, and approximate geographical location. Next, the AES-NI Ransomware proceeds to generate a unique encryption key and compile an index file that includes the names and location of objects suitable for encryption. You should note that the procedure takes a little time and the Trojan does not hijack processing power from other applications on your system. The threat is designed to use not more than 30% of your processing power to lock your files efficiently and avoid detection. Affected users may notice an increased read/write load on their PCs, but they may not recognize that there is something wrong.

The AES-NI Ransomware is named after the '.aes_ni' suffix attached to the names of locked objects. For example, 'Moth orchids.jpeg' is renamed to 'Moth orchids.jpeg.aes-ni' and the Windows Explorer displays a generic white icon that has no thumbnail. AS stated above, the AES-NI Ransomware is a threat to databases, and it is reported to lock images, videos, presentations, media project files, spreadsheets, text, eBooks, contacts lists, PDFs and corrupt database configurations. PC security analysts reported that the AES-NI Ransomware has several versions that are known to use the following extensions:

  • .aes_ni
  • .aes_ni_gov
  • .lock
  • .aes256

The AES-NI Ransomware is programmed to store the decryption key in an obfuscated file named '.key.aes_ni,' which can be found in 'C:\ProgramData' that is used by Windows to store program configurations. The key can not be read unless you have the correct decryption tool, which users are suggested to buy by writing to or using channels on the Jabber and BitMessage instant messaging platforms. The ransom notification is saved to the desktop of infected users as '!!! READ THIS - IMPORTANT !!!.txt' and offers the following text:

SORRY! Your files are encrypted.
File contents are encrypted with random key (AES-256 bit; ECB mode).
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:'

The message includes instructions on how to run the TOR Browser and access a support page on the TOR Network where users are invited to provide their IDs and email for contact. The support team behind the AES-NI Ransomware may respond to inquiries via the following channels as well:

  • Email:
  • Jabber:
  • BitMessage: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN

What is the Smart Response to the Demands of the AES-NI Ransomware

A similar level of dedication to their 'customer's satisfaction' was introduced by the Spora Ransomware. However, we do not encourage users to contact the cyber extortionists when you can rebuild your file structure using backups and archives. Paying theasked fee should not be considered as your first option because there is no guarantee that the crooks would send you a decryptor just because they are nice. PC users should consider that the modern threat landscape is dominated by threats like the AES-NI Ransomware and the Project34 Ransomware. Hence, it is best to run a reliable backup manager and boost your cyber security with a trusted anti-malware shield.

Infected with AES-NI Ransomware? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect AES-NI Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 8 + 3 ?