Avast releases new ransomware decryption tool for the AES_NI ransomware.
Special thanks to Ladislav Zezula for working on this blog post and the decryptor tool!
If your files have been encrypted by the AES_NI ransomware, you can now recover them without paying the ransom. To decrypt your files, download Avast’s free decryptor tool.
The AES_NI ransomware was first spotted in December 2016. We have seen multiple variants since then, that can be distinguished by the file extension of encrypted files:
When encrypting files, the ransomware generates an RSA session key (one per machine). This session key is then encrypted and saved to a file to the %ProgramData% folder (e.g. “C:\ProgramData”). The name of the file looks like this:
Unlike rest of the encrypted files, this file’s AES key needs to be decrypted using a master private key, which was published on May 25 2017 by the Twitter user @AES___NI. With this, security researchers can now create a universal decryptor.
When encrypting a file, the ransomware generates a per-file random 128-byte number (using the CryptGenRandom API). This number is then cut down to a 256-bit AES key, and used for encrypting file data. The ransomware encrypts the file data in-place (using memory mapping), encrypting up to 15,728,640 bytes. The AES encryption key is then stored at the end of the file, together with user ID and original file name.
The encryption scheme can be summarized by the following picture:
The ransomware creates a file “!!! READ THIS - IMPORTANT !!!.txt” within each folder that has at least one encrypted file in it. The content of the file looks like this:
Three tips to start your new year with a faster, cleaner computer.
This simple New Year’s resolution could save you hours—even months—of complication and heartache next year and beyond.