Victims can now decrypt files without paying ransom

May 30, 2017 09:33 GMT  ·  By

Just as ransomware has rapidly turned into a full-on phenomenon, the war against this type of cyber attacks has grown too. In fact, Avast announced a brand new decryptor tool for the AES_NI ransomware, possible thanks to the public dump of the master private key a few days ago.

This particular ransomware family was first spotted in December 2016, with multiple variants having been detected in the wild since then. You can tell if you've been attacked by it if your encrypted files have one of these file extensions - example.docx.aes_ni, example.docx.aes256, or example.docx.aes_ni_0day.

As Avast's researchers explain, the ransomware generates an RSA session key for each machine it infects. This session key is then encrypted and saved to a file to the Program Data folder.

"Unlike rest of the encrypted files, this file's AES key needs to be decrypted using a master private key, which was published on May 25 2017 by the Twitter user @AES___NI," Avast writes. The man behind this Twitter handle seems to be, according to Bleeping Computer, the author behind the ransomware. Apparently, he did this in order to avoid being framed by the XData ransomware operators, which shares some of the code of AES_NI.

How does AES_NI operate?

When encrypting a file, the ransomware generates a per-file random 128-byte number, which is then cut down to a 256-bit AES key and used for encrypting file data. The AES encryption key is then stored at the end of the file, along with the user ID and original file name.

Thankfully, now that the decryptor is here, people can untangle their files without having to pay the ransom. Of course, it's a rather odd move, although not unseen, for the author of a ransomware to publicly dump the master keys. Nonetheless, it's good to have yet another ransomware off the Internet, or at the very least, easily decryptable.

You can download the decryptor from Avast.