Visit avast.com
English
Search Menu
Close
Sections
Tips & Advice

Avast releases free decryptor tool for AES_NI ransomware

Jakub Křoustek, 29 May 2017

Avast releases new ransomware decryption tool for the AES_NI ransomware.

Special thanks to Ladislav Zezula for working on this blog post and the decryptor tool!

If your files have been encrypted by the AES_NI ransomware, you can now recover them without paying the ransom. To decrypt your files, download Avast’s free decryptor tool.

The AES_NI ransomware was first spotted in December 2016. We have seen multiple variants since then, that can be distinguished by the file extension of encrypted files:

  • example.docx.aes_ni
  • example.docx.aes256
  • example.docx.aes_ni_0day

When encrypting files, the ransomware generates an RSA session key (one per machine). This session key is then encrypted and saved to a file to the %ProgramData% folder (e.g. “C:\ProgramData”). The name of the file looks like this:

AES_NI saved encryption key

Unlike rest of the encrypted files, this file’s AES key needs to be decrypted using a master private key, which was published on May 25 2017 by the Twitter user @AES___NI. With this,  security researchers can now create a universal decryptor.

When encrypting a file, the ransomware generates a per-file random 128-byte number (using the CryptGenRandom API). This number is then cut down to a 256-bit AES key, and used for encrypting file data. The ransomware encrypts the file data in-place (using memory mapping), encrypting up to 15,728,640 bytes. The AES encryption key is then stored at the end of the file, together with user ID and original file name.

The encryption scheme can be summarized by the following picture:

02-aes_ni-encryption-scheme.png

The ransomware creates a file “!!! READ THIS - IMPORTANT !!!.txt” within each folder that has at least one encrypted file in it. The content of the file looks like this:

AES_NI_ransom-message.png

Tips on how to avoid ransomware

  • Install antivirus on all devices possible, including on your smartphone. Antivirus will block ransomware, should you encounter it.
  • Updating all of your software whenever a new version becomes available can help prevent ransomware from exploiting a software vulnerability to infect your device.
  • Being cautious can also greatly help avoid ransomware. You should stay away from shady websites, be careful what you download, and not open any links or attachments sent to you from a suspicious or unknown sender. Many people don’t think an ordinary Word or Excel document can lead to something malicious downloaded, which is why cybercriminals like using them for their attacks. Malicious attachments, sent in the form of a Word or Excel document, often request macros to be enabled, which allows the document to download malware, including ransomware, from the internet.
  • While it cannot help you avoid ransomware, backing up your data on a regular basis will help avoid data loss, in case you fall victim to ransomware. If you regularly backup your data, while offline, to an external hard drive that is not connected to the internet, you greatly lower the risk of anyone touching your data through the internet.

IOCs:

.aes-ni

157D7AD2664AA2B7F534A628D56026B0DF9F5FFCCE7CC1F1943A9F939B3F4CF0

A9E2D14DC0F3CF022D52C671675961489592D5F90F97791FBD99007A4F494BD3

.aes_ni_0day

4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76
Check 4 comments or write your comment

Related articles

Tips & Advice

9 cybersecurity terms you need to know

Staying ahead of the latest threats is hard. Not understanding the technical jargon makes it harder. Avast defines 9 words to know, and shares pro tips to keep you safe and protected.

16 August 2017 min read
Tips & Advice

Is your Android device getting sluggish? Find the culprits in our list of performance-draining apps

Avast reveals the Android apps that drain your battery, eat up your storage and use the most of your monthly data plan.

14 August 2017 min read
Tips & Advice

Plenty of Phishing

Know how to detect and outsmart any phishing scam.

12 August 2017 min read

Discussion (4)

Karl Zeilbauer
Please if anyone can give me a phone # to reach someone about my Acct. Have tried computer and phone# provided. Can't contact anybody!!!!!!!!! Help Please, Karl
Stephen Durnford
I very much regret Avast's decision to discontinue offering e-mail contact. It is a commercial error that alienates users. In the past I could get good answers that were properly focussed on my questions. Now Avast's priority seems to be to promote the services available with no provision for the unpredictable. It may be cheaper on overheads, but it is bad PR and thus bad for reputation and for business. My immediate concern today is that my error report tells me that it is 1495840133 days since my last Smart Scan, error of over four million years, though the final digit is correct. This is flattering but inaccurate and points to a bug, which may indeed be minor, but perhaps is not, and will certainly undermine confidence in the whole panoply of Avast's offerings and the management thereof, until and unless a means is again on offer for a dismayed user to report observations of this kind.
md:wahead ali.
I am very happey.
MaryH.
I have been charged for another year of service.I have no computer left for the virus has completely destroyed my computer . I am now using the free one for I didn't know I still had avast for a few more months . i put in for the free one and it doesn't work for i have no idea what the password is. I put the one it says I have but it doesn't work . I am very upset about this .When I saw the payment for $59.00 in my bank account i was furious . I want my money put back in my account . I don't think anyone is protecting my computer . i called the number 1-844-340 - 9251 It said got to the web site for help . never spoke to anyone . what is going on here ?

1988 - 2017 Copyright © Avast Software s.r.o. | Sitemap

Follow us