Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AES Ransomware (.aes256, .aes_ni, !!!Read This_Important!!!.txt) Support Topic


  • Please log in to reply
129 replies to this topic

#121 dabcorp

dabcorp

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 April 2017 - 06:29 AM

Help me please :

 

===============================# aes-ni ransomware #===============================

                   + ++      +   ++
                  +--++----++----+      +  
                  +  ++++
                  +--+--+  +----+----+++
                    +       +
                  +-+  +-++------++------+      +-+  +---++-+

SPECIAL VERSION: NSA EXPLOIT EDITION

INTRO: If you are reading it, your server was attacked with NSA exploits.
Make World Safe Again.

SORRY! Your files are encrypted.
File contents are encrypted with random key (AES-256 bit; ECB mode).
Random key is encrypted with RSA public key (2048 bit).

We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.

Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.

If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:

0xc030@protonmail.ch
0xc030@tuta.io
aes-ni@scryptmail.com

IMPORTANT: In some cases malware researchers can block our e-mails.
If you did not receive any answer on e-mail in 48 hours,
 please do not panic and write to BitMsg (https://bitmsg.me) address:
 BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN
 or create topic on https://www.bleepingcomputer.com/ and we will find you there.

If someone else offers you files restoring, ask him for test decryption.
 Only we can successfully decrypt your files; knowing this can protect you from fraud.

You will receive instructions of what to do next.
You MUST refer this ID in your message:

NS390891#D456970D03407DAB330ABD2DA35F56ED

Also you MUST send all ".key.aes_ni_0day" files from C:\ProgramData if there are any.


===============================# aes-ni ransomware #===============================
 



BC AdBot (Login to Remove)

 


#122 Eskof

Eskof

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 19 April 2017 - 07:08 AM

Just paid a company to get my files decrypted, for $15 with paypal they fixed it :D!

 

inb4 people will cry about "scam,fraud, etc", will not give at all how to contact this company.

Gl dealing with AES_IN

 

They also explained me how they did that.

Update your windows to last version, and you good.


Edited by Eskof, 19 April 2017 - 07:09 AM.


#123 dabcorp

dabcorp

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 19 April 2017 - 07:24 AM

Ok , i paid ! send informations for this



#124 EgyConquer

EgyConquer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 20 April 2017 - 06:27 PM

Just paid a company to get my files decrypted, for $15 with paypal they fixed it :D!

 

inb4 people will cry about "scam,fraud, etc", will not give at all how to contact this company.

Gl dealing with AES_IN

 

They also explained me how they did that.

Update your windows to last version, and you good.

You won't give people the info about the company that decryped your files? O.o how old are you? 15?



#125 opelco

opelco

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 21 April 2017 - 05:20 AM

I also infected and lost really important files..

what should I do?

there is no answer from those guys and I don't have enough money to pay for it



#126 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:36 AM

Posted 21 April 2017 - 06:04 AM

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work...again it never hurts to try.

If that is not a viable option and there is no decryption fix tool, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#127 fondueset

fondueset

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 April 2017 - 09:23 AM

I'd like to add a little to this.  Some of our backups were to hard-drives - another was to a NAS Raid Array - both of these were compromised.  Fortunately which switch out the hard drive backup.   We also had some 'afterthought' backups to usb drives via the windows server backup utility.  These were untouched by the attack and enabled us to restore one of our servers with virtually no loss of time-sensitive data.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work...again it never hurts to try.

If that is not a viable option and there is no decryption fix tool, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.

 



#128 AES_NI

AES_NI

  • Banned Spammer
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 21 April 2017 - 02:09 PM

AES-NI stop support on BP forum.



#129 BloodDolly

BloodDolly

  • Security Colleague
  • 464 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:10:36 AM

Posted 21 April 2017 - 02:59 PM

AES-NI stop support on BP forum.

Jail time finally? :lol:



#130 cybercynic

cybercynic

  • Members
  • 511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:04:36 AM

Posted 21 April 2017 - 02:59 PM

I also infected and lost really important files..

what should I do?

there is no answer from those guys and I don't have enough money to pay for it

 

There is no way to get your files decrypted except by paying the ransom. If you can't contact the extortionists, or cannot afford to pay the ranson, then, for the time being, you are SOL. Your best bet is to back up the encrypted files in hopes of a future solution / breakthrough for this encryption.


We are drowning in information - and starving for wisdom.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users