Ransomware programs are a growing threat in today’s cyber space. They have become a formidable source of income for computer hackers. Upon creating an encryption virus, renegade developers do their best to keep all information about the program and themselves a secret. It is a rare occurrence when the authors of a ransomware program dump its master private keys. This happened a few days ago with AES_NI ransomware.
AES_NI is a ransomware family which first appeared on the scene in December 2016. The program had several versions created. The different variants were distinguishable for the file extensions they appended to the names of the encrypted objects. The following appendices have been used: .aes_ni, .aes256 and .aes_ni_0day. After a six-month run, the virus has been neutralized after one fell swoop. The master private keys allow victims to decrypt their files without paying the ransom.
Cyber security company Avast was the first to take advantage of the disclosure. Using the available keys, the company’s engineers created a decryptor for AES_NI ransomware. This tool facilitates the decryption process, making it easy for people to turn their files back to normal. As Avast researchers explained, the program generates a unique RSA session key for every targeted device. AES_NI then encrypts this key and saves it to a file. The file is stored in the Program Data folder.
“Unlike rest of the encrypted files, this file’s AES key needs to be decrypted using a master private key, which was published on May 25 2017 by the Twitter user @AES___NI,” commented Avast in a blog post. The person who published the keys is believed to be the author of the ransomware. His actions have been attributed to a conflict with XData ransomware operators. Since the two programs share a common source code, the owner of AES_NI ransomware released the keys for his creation to avoid being framed.
The concept behind AES_NI ransomware
For the purpose of the encryption, the program generates a random 128-byte number which is then shortened to a 256-bit AES key. A unique key is created for each targeted file. The latter is used to encrypt the contained data. The ransomware then stores the AES encryption key, the user ID and the original file name at the end of the file.
With the release of the master private keys, people who have been affected by AES_NI ransomware can now decrypt their files for free. Users who contact this particular virus can consider themselves fortunate, as few ransomware programs have their keys dumped by their author.
Avast have included the decryptor for AES_NI in their archive of custom decryption tools. You can download the software for free from the company’s official website.