Home Malware Programs Ransomware AES-NI Ransomware

AES-NI Ransomware

Posted: April 21, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 9
First Seen: April 21, 2017
Last Seen: July 4, 2022
OS(es) Affected: Windows

The AES-NI Ransomware is a Trojan that began attacking PC users late in 2016 by encrypting their files to hold the data for ransom. Although the Trojan attempts to exclude systems from specific regions, this blacklist isn't foolproof, and an infection can damage most of the files on your PC permanently. When your anti-malware products don't remove the AES-NI Ransomware preceding to its attacks, follow standard security guidelines to disinfect your PC and restore any encrypted content from the last available backup.

Trojans Dealing out Ransoms for Some, Safety for Others

Due to their governments' unusual stances on cyber warfare, Russia and its satellite nations play a semi-unique role in the threat industry, and threat actors often make special considerations for that region of the world. These geography-based perks even apply to file-encrypting Trojans like the AES-NI Ransomware, which dates to the last months of 2016, but is being updated as late as April of the current year. However, not all victims report of being filtered out of the AES-NI Ransomware's list of suitable targets accurately, and malware experts don't recommend relying on your nationality, alone, for protecting your computer.

The AES-NI Ransomware is a traditional encryption-based Trojan that uses the AES-256 and RSA-2048 algorithms to encode your media with a cipher securely. The attacks exclude certain, particularly important formats that often are essential to for software applications: DLL, EXE, SYS, LNK and MUI. All other content is encrypted without any discrimination, indicating that this Trojan is almost certainly in deployment against server-specific systems instead of personal-use computers.

This Trojan also detects the system linguistic settings and fails to run if the PC is using Russian or associated regional languages. This discrimination most likely is meant to protect the AES-NI Ransomware's authors from intervention by the Russian law enforcement. When functioning as intended, in these conditions, the Trojan terminates before it can encrypt any content or display its other symptom: a ransom message selling its decryption solution.

Why No One Lives in a Trojan-Proof House

Not all Russia-based victims of the AES-NI Ransomware infections benefit from immunity to the Trojan; malware analysts are confirming some reports of the Trojan ignoring the previously-mentioned regional blacklist. For those users, and others in different nations, the AES-NI Ransomware ransoms their encrypted data by providing text messages with instructions for contacting the threat actors over the BitMsg client. These components also provide other evidence of the continuing activity of this group of crooks through the regularly rotated e-mail addresses they offer.

The AES-NI Ransomware's text messages include numerous warnings against using alternative methods of decrypting or otherwise restoring your files, which malware experts recommend disregarding. The decryption solutions offered by these people often can cause further damage to your local media and are always inferior to restoring from the last known backup, when possible. The infection methods the AES-NI Ransomware campaign has emphasized include network-based exploits that can give con artists backdoor access to the PC particularly. Updating all software, avoiding e-mail and phishing-based attacks, and using secure passwords can prevent most security breaches of this type.

The AES-NI Ransomware's authors are concealing their ransom demands, possibly to give themselves more bargaining power against different, corporate targets with compromised servers. Although many anti-malware services should eliminate the AES-NI Ransomware before it commences with its encryption, users without that protection could face a still undetermined degree of extortion.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



File.exe File name: File.exe
Size: 1.02 MB (1022978 bytes)
MD5: 83e824c998f321a9179efc5c2cd0a118
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 24, 2017
Loading...