RSA-NI Ransomware Description
The RSA-NI Ransomware is an encryption ransomware Trojan that seems to be related to the AES-NI Ransomware, a ransomware Trojan that was released in April 2017. The RSA-NI Ransomware was released in early December 2017 and uses a slight variation in its code from its predecessor. The most common way in which the RSA-NI Ransomware is delivered to victims is through the use of corrupted email attachments, which uses bad macro scripts that download and install the RSA-NI Ransomware onto victim's computers.
How the RSA-NI Ransomware Attack Works
The RSA-NI Ransomware tactic itself is not difficult to understand. The purpose of the RSA-NI Ransomware, just like other encryption ransomware Trojans is to make the victim's files inaccessible by using a combination of the AES and RSA encryptions. Ransomware threats like the RSA-NI Ransomware demand the payment of a ransom from the victim, usually by displaying a ransom note on the affected computer once the victim's files have been compromised. The RSA-NI Ransomware will target a wide variety of file types in its attack, which may include the following:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Once the RSA-NI Ransomware enciphers the files, they are not recoverable with current technology. Apart from encrypting the victim's files, the RSA-NI Ransomware will modify their names by adding the file extension '.firstname.lastname@example.org' to the end of each affected file. This seems to be the email address that the victims are urged to use to contact the people responsible for the RSA-NI Ransomware attack. PC security researchers counsel computer users against establishing contact with the people responsible for the RSA-NI Ransomware attack.
The Threat Contained on the RSA-NI Ransomware Ransom Note
The RSA-NI Ransomware delivers a ransom note demanding the payment of a ransom. It is delivered in the form of a text file named 'Attention!!! Your data breaches!!!.txt,' which is dropped on the infected computer system's desktop. The full text of the RSA-NI Ransomware ransom note reads:
'=========# the RSA-NI Ransomware #========
IMPORTANT: [EDITED] and [EDITED]
We hacked your server and copied your important data.
Please write us to the e-mail in 24 hours email@example.com firstname.lastname@example.org
After payment, Your data will be destroyed, Otherwise your data will be leaked to the public.
=========# the RSA-NI Ransomware #========'
Victims of the attack are directed to write to the cybercrooks with a specific ID number and then urged to pay a ransom using Bitcoins. The email addresses that have been linked to the RSA-NI Ransomware and its variants are:
Although the exact amount of the RSA-NI Ransomware ransom is unknown currently, these attacks demand a ransom between 500 and 2000 USD. Malware experts strongly advise computer users to stay away from paying the RSA-NI Ransomware ransom or contacting the people responsible for these attacks. Instead of paying the RSA-NI Ransomware's ransom, it is preferable to recover the affected files from a backup copy. This is why having file backups is so important; backup copies of your files is the best precaution against the RSA-NI Ransomware and other ransomware Trojans.