The Avast Decryption Tool for AES_NI is a free, specialized utility designed to unlock and restore files held hostage by the AES_NI ransomware strain without paying a ransom. Originally released by security firm Avast in May 2017, the tool remains part of their public repository of Free Ransomware Decryption Tools. Background on AES_NI Ransomware
First emerging in December 2016, the AES_NI ransomware targeted Windows systems using a combination of AES-256 and RSA-2048 encryption algorithms.
Target Extensions: It identifies files and Appends specific extensions to them, notably .aes_ni, .aes256, and .aes_ni_0day.
How It Compromised Systems: For each machine it infected, the malware generated an RSA session key. It saved this key in an encrypted format inside the %ProgramData% folder (e.g., C:\ProgramData).
The Breakthrough: On May 25, 2017, the master private keys were publicly released via Twitter by the threat actor behind the ransomware (@AES___NI). This enabled Avast engineers to develop a universal decryption utility. Key Features of the Decryption Tool
Universal Decryption: By integrating the leaked master private keys, the software securely unpacks the local RSA session key and successfully reverses the file encryption.
No Password Cracking Required: Unlike some decryptors that require brute-forcing passwords over days, this tool utilizes the mathematical relationship of the leaked keys to instantly unlock files.
Wizards-Based Interface: The tool is built with a step-by-step graphical user interface (GUI), making it easy for non-technical users to select entire drives or folders to restore. Direct Comparison: Supported Extensions
The tool natively recognizes and handles files corrupted by the main evolutionary variants of this malware strain: File Extension Threat Type Decryption Method .aes_ni Original December 2016 Strain Universal Master Key Decryption .aes256 Mid-2017 Variant Universal Master Key Decryption .aes_ni_0day Late-Stage Variant Universal Master Key Decryption How to Use the Tool
If you have legacy files or an older system affected by this strain, you can safely deploy the tool:
Download: Safely obtain the standalone execution file from the official Avast Ransomware Decryption Tools portal.
Execute: Run the application (avast_decryptor_aes_ni.exe) on the infected machine.
Select Paths: Choose the targeted local drives, network folders, or directory locations containing your locked files.
Decrypt: Leave the default configurations as they are, advance through the prompts, and click Decrypt to restore your original file extensions.
Avast releases free decryption tool for EncrypTile ransomware
Leave a Reply