On May 21st, a security researcher who goes by the name Thyrex, received a message on a Russian forum that contained a link to a ZIP file that supposedly contained a decryptor for the frogobig777@india.com variant of the AES-NI Ransomware. After examining the file, Thyrex posted a link to the file in our AES-NI Support Topic so that victim's could hopefully use it to recover their files.

Thyrex's Post in the BleepingComputer.com Forums

Insider this folder are three files; a decryptor executable, a text file that contains instructions, and a folder of 369 private decryption keys.

Decryption Keys
Decryption Keys

While no victim's have reported that the decryptor worked for them, I have been able to find an encrypted file from this variant and decrypt it using one of the included keys. If anyone has their files encrypted and the ransom note contains a contact email of frogobig777@india.com, they should definitely see if their key is in the archive and use it to recover their files.

As always, if anyone needs help they can ask in the dedicated AES-NI Ransomware Help & Support Topic.

Who leaked the decryption keys?

Today, BleepingComputer reached out to Thyrex to find out how he received the decoder and keys. According to Thyrex, all that he knew was that an unknown person sent him a private message on a forum he visits with a link to the file.

Coincidentally, the developer of AES-NI, who has been silent for a while, reached out today to various researchers and BleepingComputer to announce he was back. In conversations with BleepingComputer, the AES-NI developer admitted that he was the one who leaked the keys to Thyrex.

He said he did it because it was an old version that a friend of his was previously distributing and abandoned. He also intimated that he would be stopping the AES-NI "project" and releasing the rest of the keys in the near future. 

When BleepingComputer asked why he was stopping the development of AES-NI, the developer starting talking about the XData ransomware.

AES-NI author thinks he is being framed by the XData devs

According to the AES-NI developer, XData is based on AES-NI Ransomware source code that someone stole from him between February and March 2017. The shared code between XData and AES-NI was further confirmed by ESET security researcher Anton Cherepanov in an article released yesterday.

It is common for Russian developers to put in restrictions restrictions in their ransomware that prevent the ransomware from infecting victims located in Russia and the Commonwealth of Independent States (CIS). This is done out of a sense of national pride and to protect the developer from a government who may be willing to turn a blind eye to illegal operation that doesn't target its citizens.

According to the AES-NI author, these restrictions were removed from the XData source and was used to purposely target the Ukraine and other nearby countries. The AES-NI author went on to further state that XData does not contain certain features, such as a TOR Command & Control server and the ability to inject itself into another running process.

The author went on to say that current versions of AES-NI embed the filename and key ID into the encrypted file, while XData does not. As these features were not added until end of March, the author feels that his code was stolen before then.

Heat Map of Countries Targeted by XData
Heatmap of countries targeted by XData ransomware

The AES-NI developer further went on to say that he feels he is purposely being framed by the XData ransomware operator(s). Optimally, he would like that others consider the XData strain a separate operation, despite similarities with the AES-NI source code.

Whether or not any of this true is impossible to corroborate, but if it is true, hopefully the fear of being sent to a Russian prison, or worse, may be enough for the AES-NI dev to keep his promise to stop working on the AES ransomware project and release more decryption keys.

UPDATE 1: Minutes after our article went live, the AES-NI author kept his promise and published what appears to be a master decryption key for several other AES-NI ransomware variants. We'll update the post when we can confirm the validity of this master key.

UPDATE 2: Avast security expert Jakub Kroustek has confirmed that the provided AES-NI master key is indeed authentic, successfully decrypting a version of this ransomware spotted on May 7. Other researchers, including TeslaCrypt expert BloodDolly, have told Bleeping Computers they were also able to unlock older versions of this ransomware. AES-NI victims can use the decrypter included in the download package to unlock their files, but if they don't trust the file, Avast has released an alternative decrypter.

AES-NI decrypter successfully decrypting locked files
AES-NI decrypter successfully decrypting locked files [via Jakub Kroustek]
Supposed master decryption key for AES-NI ransomware
Supposed master decryption key for AES-NI ransomware


Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files