AES-NI Ransomware

AES-NI Ransomware Description

The AES-NI Ransomware is a ransomware Trojan that seems to be associated with the use of NSA exploits leaked by the hacking group Shadow Brokers. According to tweets released by the AES-NI Ransomware's creator, a Windows server vulnerability was used to install the AES-NI Ransomware, a low-quality ransomware Trojan. There is one thing clear about these claims; the AES-NI Ransomware has been responsible for numerous attacks in April 2017. Between April 10 and April 22 the detection of the AES-NI Ransomware has been at about 0 to 5 infected systems every day, with more than 100 victims by the end of the measurement period. This spike in infections seems to coincide with the leak of Windows exploits. However, PC security researchers consider that these exploits are not being used to deliver the AES-NI Ransomware, regardless of the con artists' claims. The most likely culprit is Remote Desktop Protocol (RDP), which may be used to carry out attacks by exploiting weak passwords and security protection.

The AES-NI Ransomware Attack and Its Consequences

There is still doubt in regards to how the AES-NI Ransomware is being delivered to victims. However, it is clear that the AES-NI Ransomware infection is mainly spreading by exploiting vulnerabilities in the system security rather than through the use of corrupted email attachments (a common method used to deliver other ransomware Trojans). PC security researchers have taken steps to curtail the effects of the AES-NI Ransomware attack. Email addresses linked to the AES-NI Ransomware attack also have been blocked, and the operations of the AES-NI Ransomware have been hampered in various ways by malware researchers.

A Quick Look at the AES-NI Ransomware Infection

The AES-NI Ransomware Trojan has been around since at least December 2016 and also may be detected as the AES Ransomware or the AES256 Ransomware, using various aliases in its attack. The ransom note associated with the current the AES-NI Ransomware variant claims that this version is the 'NSA EXPLOIT EDITION' and asks for a ransom of 1.5 BitCoins (approximately $1800 USD at the current exchange rate), also claiming to decrypt files for free for computer users located in countries that on one occasion were members of the Soviet Union. The AES-NI Ransomware attack is strong, and there is no way to recover the files encrypted by the AES-NI Ransomware besides restoring them from a backup currently. C security researchers strongly advise computer users to have file backups to nullify the effects of the AES-NI Ransomware and other ransomware attacks.

The following is the ransom note associated with this attack:

'==========================# the AES-NI Ransomware #==========================
█████╗ ██████╗██████╗ ███╗ ██╗ ██╗
██╔═██╗██╔═══╝██╔═══╝ ████╗ ██║ ██║
██████║█████╗ ██████╗███╗██╔██╗██║ ██║
██╔═██║██╔══╝ ╚═══██║╚══╝██║╚████║ ██║
██║ ██║██████╗██████║ ██║ ╚███║ ██║
╚═╝ ╚═╝╚═════╝╚═════╝ ╚═╝ ╚══╝ ╚═╝
SORRY! Your files are encrypted.
File contents are encrypted with random key (AES-256 bit; ECB mode).
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
0xc030@protonmail.ch
Also there is one fast way to contact us.
If you are familiar with Jabber, write us to JID: zooolo@darknet.nz (it is Jabber, not e-mail address!)
You can get Jabber account for example at https://www.xmpp.jp/signup
IMPORTANT: In some cases malware researchers can block our e-mails.
If you did not receive any answer on e-mail in 48 hours,
please do not panic and write to BitMsg (https://bitmsg.me) address:
BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN
or create topic on https://www.bleepingcomputer.com/ and we will find you there.
Also it will be better if you download Tor browser here: https://www.torproject.org/download/download-easy.html.en
Download, install and run it; then visit our site (from Tor browser): http://kzg2xa3nsydva3p2.onion/index.php
Please do not visit this site from standard browser: it just will not open. You need Tor Browser to open .onion sites.
There is a form, you can write us there if all e-mails are blocked and we will contact you very fastly.
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
You MUST refer this ID in your message:
PC#EB53D6F20CF4C8BDCFD536DE4B29906C
Also you MUST send all ".key.aes_ni" files from C:\ProgramData if there are any.
==========================# the AES-NI Ransomware #=========================='

Preventing the AES-NI Ransomware Attacks

If this ransomware Trojan is indeed being delivered using the leaked NSA exploits, then it is crucial to install all security patches and have file backups. Strong security protection and passwords can prevent the attacks that allow con artists to install these threats on the victims' computers.

Infected with AES-NI Ransomware? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect AES-NI Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of AES-NI Ransomware outbreaks and other threats from global to local level.

File System Details

AES-NI Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 File.exe 1,022,978 83e824c998f321a9179efc5c2cd0a118 50

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 14 + 8 ?