AES-NI Ransomware

The emergence of AES-NI Ransomware on your computer could be an awful indication of losing all your important files. This ransomware infection can infiltrate your system without your knowledge and encrypt your personal files with virtually impossible-to-hack algorithms and extort money from you in exchange for the private key needed for decryption. Unfortunately, there is no guarantee whatsoever when it comes to paying ransom fee to cyber criminals. How could you trust someone to keep their promise when they attack you with such a vicious program? What if you transfer the money and get nothing in return? How would you feel when you realize that you supported cyber crime and you lost your files as well? These questions you need to consider before making up your mind. As a matter of fact, the only possible way for you to save your files is to have a recent backup copy you made onto a removable drive. But even if you have such a copy, your first move should be to remove AES-NI Ransomware from your system. In fact, it is possible that you will not even find the malicious executable file anymore as it can delete itself automatically after this attack. Nevertheless, it leaves a few leftovers behind that have to be removed to restore your system.

Our research and tests show that this particular ransomware mainly targets servers. Although we do not have concrete information about how this infection is spread on the web, we believe that it could be manually installed after a brute force Remote Desktop Protocol attack. This means that cyber criminals may try to gain access to your server by attacking it and thus figure out your password. Unfortunately, a lot of servers are out there on the web that are not properly protected or the passwords given by lazy system administrators might be easily hacked. In any case, once these criminals have access to your server, they can easily install and activate this dangerous ransomware and infect all computers available from the server. This is the type of attack that you will never see coming until it is already too late to delete AES-NI Ransomware as your files will all be encrypted. It is also possible that a hacking tool used by the NSA called DoublePulsar is also used to spread it, which has been leaked recently and so far tens of thousands of computers have been reported infected with it.

It is also important for us to mention that most ransomware programs are spread via spam e-mails and Exploit Kits. Therefore, you need to be more cautious when you open your mails either in the spam folder or in your inbox. Such a spam may appear to be quite convincing that there is an urgent issue that requires your immediate attention. This is how many unsuspecting users download the attached file that is indeed a malicious executable that will initiate the attack. It is vital that you keep your browsers and drivers updated too because malicious websites can use Exploit Kits to drop such ransomware infections onto your system behind your back. It is enough for you to land on such a page and a malicious script can be triggered right away. Once again, by the time you are ready to remove AES-NI Ransomware, it will be too late for you to save your files. Keep in mind that removing this ransomware program is not equal to recovering your encrypted files.

Once this ransomware infection is activated on your system, it injects itself into svchost.exe to encrypt your most important files with AES-256 algorithm. The generated decryption key is then further encrypted using RSA-2048 algorithm, which makes is practically impossible to crack this threat. All the encrypted files get a new ".aes_ni_0day" extension, so you will know exactly what has just hit you. It seems that this infection also drops a .txt file in all affected folders called "!!! READ THIS - IMPORTANT !!!.txt", which contains the ransom note text. It seems that this vicious program deletes itself after the attack; therefore, you do not need to care about the executable itself, but it does not mean that you do not need to eliminate all other leftovers. This ransomware does not lock your screen and does not replace your desktop background either.

Instead, it creates a registry entry to make sure that upon every reboot you will be presented with a Windows screen that displays the ransom note right before you could actually log in. This note claims that your "server has been attacked with NSA exploits" and that the only way for you to get your precious files back is to contact these crooks via e-mail. You are provided with three e-mail addresses, including "0xc030@protonmail.ch" that you can use to send your unique ID disclosed in this note. In a reply message, you are supposed to get further instructions as to how much money you have to transfer and where exactly. Cyber criminals usually ask for Bitcoins and the fee could range from 0.1 up to 1 or 2 BTC, which is $150 up to $1,500 or $3,000. Obviously, this amount depends on who attacks you and who they target. Nobody can believe that a private citizen would have thousands of dollars to pay for some old documents and photos. However, corporations have usually more to lose in such an attack. In any case, we do not recommend that you contact these criminals or send money to them; although, it is all your own business. We advise you to remove AES-NI Ransomware and all related files from your computer immediately.

As we have already mentioned, one part of the elimination process has already been done automatically as this ransomware can delete itself after it finishes encryption. But it is just as important that you remove the registry entry it created and all the .txt files it littered your system with. If you need help with this, please use our instructions below. It is possible that after this attack you may consider protecting your system more effectively. We recommend that you employ a trustworthy anti-malware program, such as SpyHunter because an up-to-date security tool can automatically defend your PC from all kinds of malicious threats. If you want to feel safe and sound in your virtual kingdom, this is a possible way to make this happen.

How to remove AES-NI Ransomware from Windows

1. Press Win+E to launch your File Explorer.
2. Run a search for the ransom note text file to find all instances on your hard disk.
3. Delete all ransom note files.
4. Empty your Recycle Bin.
5. Press Win+R and type regedit. Click OK.
6. Locate and remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText registry value name.
7. Close the editor.
8. Restart your computer.