AES-NI, also known as AES and AES256, targets Windows OS. The developer claims to be using NSA exploits leaked by the Shadow Brokers group to infect victims, specifically, ETERNALBLUE that allows for the exploitation of a remote code execution flaw in the latest version of Windows 2008 R2 through SMB and NetBT. Security researchers, however, believe the developer is lying and is, instead, conducting brute-force attacks on RDP and deploying the ransomware manually across compromised networks. AES-NI offers to decrypt files for free for victims from former Soviet states but demands a ransom payment of 1.5 Bitcoin from all other victims.

Extensions appended to encrypted file names:
.aes256, .aes_ni, .aes_ni_gov, .aes_ni_0day, .lock

Ransom note file names:

  • Bleeping Computer provides more information about the recent AES-NI campaign here.
  • The NJCCIC is not currently aware of any free decryption tools available for AES-NI. However, it is highly recommended to proactively block traffic to SMB and RDP ports and apply Microsoft security patch MS17-010 as soon as possible.