The end of AES_NI ransomware? The hacker publishes decryption keys

While most of the cases, virus researchers are the ones who release long-awaited ransomware decryption keys, in the case of AES-NI ransomware, things are vice versa. A couple of days ago, an anonymous user contacted a cyber security researcher named Tyrex and sent him the message with an intriguing attachment – a .zip package containing the decrypter executable, instruction file, and 369 keys for AES_NI ransomware variation – frogobig777@india.com.[1] While the recipient speculated about the identity of the anonymous sender, the latter cast away the veil of anonymity – he turned out to be the mastermind of AES_NI virus. What did the hacker force to raise the white flag? Is it really the end of AES_NI ransomware?

Perhaps the announcement of ESET security team about the XData source code similarities to AES_NI malware served as the catalyst for the AES_NI creator commit an unusual for hackers action – surrender and publish decryption keys[1]. Right after Thyrex declared of having received the decryption keys, the author of the malware contacted various virus researchers. He admitted that he was the one releasing the decryption keys amid the fears of being affiliated with XData virus outbreak in Ukraine.[2] It is estimated that the malware inflicted four times bigger damage than WannaCry on the global scale. Perhaps due to the fears of being tracked by law enforcement agencies, the developer decided to clear the uncertainty.[3] He disclosed his intentions to cease AES_NI campaign. Furthermore, the author admitted that XData virus is based on the source code of AES_NI. It was stolen by anonymous felon approximately between February and March. Shortly after contacting virus researchers, the hacker published the authentic master key which decrypts older AES_NI ransomware versions – 85W0vhRkPbqcvaTafHknhMRP[3]. Its effectiveness has been confirmed by several famous security specialists.

Interestingly, such charitable act is not the completely rare phenomenon. The master key of CrySis malware was already released in December last year. Recently, additional 200 decryption keys have been released as well[4]. While victims of these virtual threats might rejoice after finally finding the solution, the reasons forcing the felons to surrender may be surely of interest. However, while some several battles are won by the virtual community, it still has to find new ways how to win cyber war against an enormous army of hackers.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References
Files
Software
Compare