As ransomware really starts to ramp up, those fighting against the scourge battle away trying to publish fixes as soon as possible.
Along those lines, Avast unveiled a new decryptor tool for the AES_NI ransomware. The tool was made possible due to a public dump of the master private key.
Researchers first discovered this ransomware family in December 2016, with multiple variants having been detected since. You can tell if you’ve been attacked by it if your encrypted files have one of these file extensions – example.docx.aes_ni, example.docx.aes256, or example.docx.aes_ni_0day.
The ransomware generates an RSA session key for each machine it infects. This session key is then encrypted and saved to a file to the Program Data folder, Avast researchers said.
“Unlike the rest of the encrypted files, this file’s AES key needs to be decrypted using a master private key, which was published on May 25 2017 by the Twitter user @AES___NI,” Avast researchers said in a blog post.
The man behind this Twitter handle could be the author behind the ransomware, industry wags said. Apparently, he did this in order to avoid being framed by the XData ransomware operators, which shares some of the code of AES_NI.
When encrypting a file, the ransomware generates a per-file random 128-byte number, which is then cut down to a 256-bit AES key and used for encrypting file data. The AES encryption key is then stored at the end of the file, along the user ID and original file name.
Because the decryptor is here, people can untangle their files without having to pay the ransom. Of course, it’s a rather odd move, although not unseen, for the author of a ransomware to publicly dump the master keys.
Click here to download the decryptor from Avast.