Releasing master keys for older ransomware variants has become somewhat of a trend these days. Shortly after the release of the updated Crysis decryptor, master keys for some of the variants of the AES-NI family were published – specifically Win32/Filecoder.AESNI.B and Win32/Filecoder.AESNI.C, also known as XData.
Based on this, ESET experts have prepared an AES-NI decryption tool.
The tool works for files encrypted by the offline RSA key used by AES-NI variant B, which adds the extensions .aes256, .aes_ni, and .aes_ni_0day to the affected files, as well as files affected by AES-NI variant C (or XData) with the extensions .~xdata~.
Victims who still have their encrypted files can now download the decryptor from our utilities page. For additional information on how to use the tool and detailed information on specific cases where the decryptor can’t help, please refer to ESET Knowledgebase.
So who keeps releasing these master keys?
First, keys for variant A of the AES-NI ransomware family were published on a help forum for ransomware victims, followed by the master key for AES-NI variant B that was released via Twitter by the malware’s self-identified authors. An anonymous guest posted the master key for Variant C (aka XData) to a forum a few days later.
Originally, the malware had restrictions in place that prevented infections in Russia and CIS countries – tactics commonly used by Russian malware authors to avoid prosecution from their government. The restrictions seem to have been neutralized by the XData operators to specifically target the region.
For more information on how to protect yourself from ransomware, please refer to our expert advice on the topic.
by Ondrej Kubovic, ESET We Live Security