Avast releases new ransomware decryption tool for the AES_NI ransomware.
Special thanks to Ladislav Zezula for working on this blog post and the decryptor tool!
If your files have been encrypted by the AES_NI ransomware, you can now recover them without paying the ransom. To decrypt your files, download Avast’s free decryptor tool.
The AES_NI ransomware was first spotted in December 2016. We have seen multiple variants since then, that can be distinguished by the file extension of encrypted files:
When encrypting files, the ransomware generates an RSA session key (one per machine). This session key is then encrypted and saved to a file to the %ProgramData% folder (e.g. “C:\ProgramData”). The name of the file looks like this:
Unlike rest of the encrypted files, this file’s AES key needs to be decrypted using a master private key, which was published on May 25 2017 by the Twitter user @AES___NI. With this, security researchers can now create a universal decryptor.
When encrypting a file, the ransomware generates a per-file random 128-byte number (using the CryptGenRandom API). This number is then cut down to a 256-bit AES key, and used for encrypting file data. The ransomware encrypts the file data in-place (using memory mapping), encrypting up to 15,728,640 bytes. The AES encryption key is then stored at the end of the file, together with user ID and original file name.
The encryption scheme can be summarized by the following picture:
The ransomware creates a file “!!! READ THIS - IMPORTANT !!!.txt” within each folder that has at least one encrypted file in it. The content of the file looks like this:
Avaddon ransomware group targeted Asia-based insurer AXA with DDoS attacks and ransomware just a week after the insurance company announced it was dropping support for ransomware payments in France.
Security experts analyze the newest ransomware threat that is currently locking up systems around the world.