AES-NI, also known as AES and AES256, targets Windows OS. The developer claims to be using NSA exploits leaked by the Shadow Brokers group to infect victims, specifically, ETERNALBLUE that allows for the exploitation of a remote code execution flaw in the latest version of Windows 2008 R2 through SMB and NetBT. Security researchers, however, believe the developer is lying and is, instead, conducting brute-force attacks on RDP and deploying the ransomware manually across compromised networks. AES-NI offers to decrypt files for free for victims from former Soviet states but demands a ransom payment of 1.5 Bitcoin from all other victims.
Extensions appended to encrypted file names:
.aes256, .aes_ni, .aes_ni_gov, .aes_ni_0day, .lock
Ransom note file names:
!!! READ THIS - IMPORTANT !!!.txt
Email addresses associated with AES-NI:
UPDATE 5/25/2017: AES-NI Ransomware Developer Releases Decryption Keys Amid Fears of Being Framed for XData Outbreak