[KB6467] Clean an AES-NI or XData infection using the ESET AES-NI decryptor

Issue

ESET products detect and block XData malware as a Win32/Filecoder.NLN and AES-NI as Win32/Filecoder.AESNI

  • Your ESET product detected a Win32/Filecoder.AESNI infection
     
  • Decrypt your files using the ESETAESNIDecryptor.exe tool
     
  • Your personal files have become encrypted
     
  • Your files have been renamed with one of the following extensions: .aes256, .lock, .aes_ni_0day, .aes_ni, .decrypr_helper@freemail_hu, .~xdata~
     
  • You receive one of the following notes on your computer's desktop background, or in a .txt, .html or .png file:

    - "YOUR FILES ARE ENCRYPTED!"
    - "If you want to decrypt your files, you have to get RSA private key."

    - "all your data was crypted to get it back write to aes-ni@prontomail.com"

Figure 1-1

Click +Details for more information and additional images associated with this ransomware

Details

Win32/Filecoder.AESNI is a trojan that encrypts files on local drives. The user is told they must send information and make a payment using the Bitcoin payment service in order to decrypt their files.

Examples of AES-NI key file names

  • USER-43FF24E2A8#7988C10CEA4CBE5453802CE852506660-decrypr_helper NEW-2017421111129-542.key
  • PC#7F8FF538043FDBDFAD07DBF085DE9910-SPECIAL NEW-201753011433-276.key.aes_ni
  • PC#7F8FF538043FDBDFAD07DBF085DE9910-Bravo NEW-2017530113345-902.key.aes_ni_0day
  • PC#7F8FF538043FDBDFAD07DBF085DE9910-#-201753182943-932.key.~xdata~

Image gallery

Solution

  1. Download the ESET AES-NI decryptor tool and save the file to your desktop.

    ESETAESNIDecryptor.exe
     
  2. Click StartAll Programs Accessories, right-click Command prompt and then select Run as administrator from the context menu.
    • Windows 8 / 8.1 / 10 users: press the Windows key + Q to search for applications, type Command prompt into the Search field, right-click Command prompt and then select Run as administrator from the context menu.
       
  3. Type the command cd %userprofile%\Desktop (do not replace "userprofile" with your username–type the command exactly as shown) and then press Enter.
     
  4. Type the command ESETAESNIDecryptor.exe and press Enter.
     
  5. Read and agree to the end-user license agreement.
     
  6. Type ESETAESNIDecryptor.exe C: and press Enter to scan the C drive. To scan a different drive replace C: with the applicable drive letter.

AES-NI decryptor switches

In most cases, running the ESET AES-NI decryptor tool as shown in step 6 is the best choice. However, if you are familiar with command line switches, the following switches are available for use with this decryptor tool:

  • /n - only list files for cleaning (do not clean)
  • /h or /?— show usage
  1. The ESET AES-NI decryptor tool will run and the “Looking for key files...” message will be displayed. After that "Looking for infected files..." message will be displayed. If an infection is discovered, follow the prompts from the ESET AES-NI decryptor tool to clean your system.

Decrypting files on a different computer

If you are going to decrypt files on different computer you have to copy AES-NI key file from infected computer. This key file is necessary for decryption of encrypted files and it is usually located in C:ProgramData folder. ESET AES-NI decryptor looks for key files in following folders:

  • ESETAESNIDecrtyptor.exe location
  • C:ProgramData
  • %appdata%
  • %temp%

Figure 1-2

 

Need Assistance in North America?

If you are a North American ESET customer and need assistance, view product documentation or visit helpus.eset.com to chat with a live technician.