AES-NI, also known as AES and AES256, targets Windows OS. The developer claims to be using NSA exploits leaked by the Shadow Brokers group to infect victims, specifically, ETERNALBLUE that allows for the exploitation of a remote code execution flaw in the latest version of Windows 2008 R2 through SMB and NetBT. Security researchers, however, believe the developer is lying and is, instead, conducting brute-force attacks on RDP and deploying the ransomware manually across compromised networks. AES-NI offers to decrypt files for free for victims from former Soviet states but demands a ransom payment of 1.5 Bitcoin from all other victims.

Extensions appended to encrypted file names:
.aes256, .aes_ni, .aes_ni_gov, .aes_ni_0day, .lock

Ransom note file names:

Email addresses associated with AES-NI:

UPDATE 5/25/2017: AES-NI Ransomware Developer Releases Decryption Keys Amid Fears of Being Framed for XData Outbreak

  • Bleeping Computer provides more information about the recent AES-NI campaign here.
  • provides a free decryption tool for AES-NI here.
    It is also highly recommended to proactively block traffic to SMB and RDP ports and apply Microsoft security patch MS17-010 as soon as possible.