Decryption keys for AES_NI shared to the public by the mastermind to prevent charges related to XData ransomware

The mastermind of the AES_NI ransomware, also spelt AES-NI or AESNI, released over 300 decryption keys via a private message to a malware research under the name Thyrex in order not to be accused of being responsible for another highly dangerous ransomware dubbed XData. On May 21st, 2017, researcher under the name Thyrex was contacted privately on a forum with a .zip file containing data related to the AES_NI ransomware. More specifically, the .zip file was related to the version whose ransom note contains the contact email frogobig777@india.com. Soon the researcher shared the data received on a forum with a link to the files. In total, three relevant folders were shared to the public: a decryption executable, a .txt file with instructions, and a folder with 368 items, which are decryption keys for the ransomware.

Releasing decryption keys to the public is not phenomenal. There are some other instances when someone behind a ransomware infection reveals its master keys. For example, someone associated with the Crysis ransomware has recently released 200 master keys in total. Such behaviour is becoming a habit for the Crysis creators because this case is known as the third time keys were released. Interestingly, the same keys worked successfully to decrypt files having the extensions .wallet and .onion, used by threats Wallet and Onion respectively.

The AES_NI ransomware was spotted after the global attack of WannaCry, which cause huge damage to corporate computers in at least 150 countries. Reportedly, the release took place because the hacker who spread the decryption keys of the AES_NI ransomware did not want to be associated with the XData ransomware which shares its code with AES_NI. It was reported that the AES_NI ransomware was abandoned by the person who had created it at that some more keys would be released in the future. The person who leaked the keys to researcher Thyrex would like others to consider these two operations separate despite their similarities. So far, the XData malware has been considered variant C (Win32/Filecoder.AESNI.C) whose master keys were released alongside with some master keys of variant A (Win32/Filecoder.AESNI.A)variant B (Win32/FileCoder.AESNI.B) and variant A.

Despite the similarities in the source code of two variants, there are some differences that make these AES_NI and XData unique in their behavior. The AES_NI ransomware reportedly spreads through a document automation system used for accountancy, whereas the method of spreading of XData has not been identified. The AES_NI ransomware is known to have some restrictions preventing infections in Russia and other countries. The XData ransomware was purposely programmed to infect computers in Ukraine and other nearby countries, mostly Russia, Germany, and Estonia. Moreover, the AES_NI infection is capable of embedding the file name and key ID into the encrypted file, while the same function is not present in XData. Moreover, the XData ransomware does not have its TOR command and control server, and it also cannot infect itself into another process.

When on a PC, the AES_NI ransomware could abuse administrator privileges which would result in damage to an entire network of machines. If no administrator privileges are obtained, the infection remains on the computer without further spreading. Additionally, the infection also attempts to find whether the computer supports the Advanced Encryption Standard (AES) instruction set; hence the name of this Trojan horse. The threat has been known to researchers since its first detection on December 8th, 2016.

Another feature distinguishing the two versions one from another is that they add different file extensions to encrypted files. The AES_NI ransomware is powered to add one of four extensions: .aes256, .aes_ni, .decrypr_helper@freemail_hu and .aesni_0day. The XData ransomware has only one extension .~xdata~. The latter variant drops several additional files alongside a file containing information about the encryption: mssql.exe, msdns.exe, msdcom.exe, and mscomrpc.exe.

The outbreak of XData (also known as variant C) hit its peak on May 18th, 2017, though the wave of cyber attacks was recorded between May 17th and May 22th, 2017. Reportedly, the XData ransomware affected 4 times more victims within a weak than the WannaCry ransomware.

Practice shows that massive ransomware attacks usually takes time after developing and testing an infection for a certain period. The XData ransomware, or rather AES_NI, has been tracked by malware researchers since December 8th, 2017. New ransomware infections are launched and detected in massive numbers, and it is hard to predict what specific strain of malware will hit numerous computers by exploiting undetected vulnerabilities of Windows operating systems.

One malware research and computer security company has released a decryption tool for the XData and AES_NI ransomware infections, but that does not mean that all ransomware infections can be blocked and data decrypted with the help of a separate tool. Very often affected data remains inaccessible and not decryption key is given to the victim after submitting a ransom fee.

There are several methods of ransomware and malware in general prevention. It is essential to keep the operating system and software programs up-to-date. Moreover, it is highly important to use reputable system security software powered to identify the newest malware variants. When it comes to data security, it is worth making data back-ups on a regular basis. Importantly, the data should be stored on a separate storage device. Moreover, having admin and user accounts would help to minimize much of damage as in the case of AES_NI. Finally, not clicking on questionable links and attachments is also crucial as spear phishing is a common malware distribution method.