Security Alert
Jonathan Crowe
Apr 2017

Alert: AES-NI Ransomware Possibly Using Leaked NSA Exploits to Infect Victims

Key Details

  • Type of attack: Ransomware
  • Attack vector: SMB or RDP ports
  • Who is vulnerable: Windows users who haven't applied critical Microsoft update MS17-010 and who have unsecure SMB and RDP ports
  • Protection: Barkly's runtime malware defense blocks AES-NI ransomware before it can encrypt files
  • empty
  • empty
  • empty
  • empty

With the security world still reacting to the latest NSA hacking tools leak, a new strain of ransomware is purportedly already putting one of them to use.

How protected are you against ransomware? Find out now with our quick ransomware risk assessment.
Know your risk

It appears criminals are wasting little time leveraging the NSA hacking tools exposed in the latest Shadow Brokers leak on April 14, 2017. Researchers at Swiss security firm BinaryEdge have identified nearly 350,000 machines infected by just one of the tools — DOUBLEPULSAR, a backdoor impant described as "a loading dock for extra malware" — alone.

Microsoft announced it had actually issued patches that render the NSA exploits ineffective a full month prior to the leak, but as the steadily rising number of infected machines shows, "the life of an exploit doesn't end with the release of a security patch."

Which brings us to a recent spike in AES-NI ransomware infections, and the claim by the ransomware's developer that he used another exploit included in the Shadow Brokers leak — ETERNALBLUE.

For hackers, hope springs ETERNALBLUE

Like many of the other exploits included in the leak, ETERNALBLUE targets vulnerabilities in server message block (SMB) protocol (used primarily for providing shared access to files, printers, and serial ports, etc.). It is specifically addressed by critical Microsoft update MS17-010.

Researchers have already been able to successfully execute the exploit, as demonstrated below:

According to Bleeping Computer, the AES-NI developer claims he is using ETERNALBLUE to crack into Windows servers via vulnerable SMB ports and encrypt victims' files from there.

AES-NI ransomware overview


AES-NI ransom screen / @PolarToffeee

AES ransomware (also known as AES256 ransomware) has been active since December 2016. It was only recently rebranded to AES-NI ransomware.

The AES-NI variant drops a ransom note file titled !!!.READ THIS - IMPORTANT !!!.txt, which refers to the ransomware as a "Special Version: NSA Exploit Edition" and explains that if you are reading it your server was attacked with NSA exploits.

Files are encrypted with a combination of AES-256 and RSA-2048 encryption, and renamed with the ".aes_ni" extension. Unfortunately, at this time no decryption tools are available for files encrypted by AES-NI.

The ransom demand has been reported to be 1.5 Bitcoin (~$1,960), though for any victims from former Soviet states the ransomware developer will apparently decrypt files for free.

Victims are encouraged to email the criminals for further instructions. If they don't get a response they're urged not to panic, but to try contacting them via Bitmessage or even by creating a topic on the Bleeping Computer forum, which the criminals are apparently monitoring.

Full ransom note text below:

INTRO: If you are reading it, your server was attacked with NSA exploits.Make World Safe Again.
SORRY! Your files are encrypted. File contents are encrypted with random key (AES-256 bit; ECB mode). Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: Also there is one fast way to contact us. If you are familiar with Jabber, write us to JID: (it is Jabber, not e-mail address!) You can the get Jabber account for example at IMPORTANT: In some cases malware researchers can block our e-mails. If you did not receive any answer on e-mail in 48 hours, please do not panic and write to BitMsg ( ) address: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN or create topic on and we will find you there. Also the if you better download the Tor browser here: Download, install and run it; then visit our site (from the Tor browser): http://kzg2xa3nsydva3p2.onion/index.php Please do not visit this site from standard browser: it just will not open. You need Tor Browser to open .onion sites. There is a form, you can write us there if all e-mails are blocked and we will contact you very fastly. If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. You MUST refer this ID in your message: PC # Also you MUST send all ".key.aes_ni" files from C: \ ProgramData if there are any.

Exactly how victims are infected is being debated

Some researchers are skeptical that the developer is actually using ETERNALBLUE, and believe he is gaining access via unsecure RDP ports (which has become an increasingly a popular infection vector), instead.

Regardless of the attack vector, there was a significant spike in AES-NI ransomware infections in the days following the NSA exploits leak, with over 100 infections reported to the service ID Ransomware on Monday, April 17.


AES-NI ransomware activity from the past 30 days. / ID Ransomware

Infections have since slowed back down to a handful a day, perhaps indicating disruption in the ransomware's operations.

Even with AES-NI momentarily quiet, however, companies should take precautions to protect themselves from this and future ransomware strains that attempt to leverage the leaked NSA exploits.

How to protect your organization from AES-NI and ETERNALBLUE

  • Patch ASAPWhile patching isn't always easy to do or expedite in an enterprise environment, organizations should prioritize applying update MS17-010.
  • Address open SMB and RDP portsIf feasible, block external traffic to these ports.
  • Deploy runtime malware defense to block AES-NI and other malware at runtimeWhile attacks that target SMB and RDP ports may bypass other security, they can still be stopped at runtime with security software that recognizes and blocks malicious system activity. Watch the video below to see how Barkly stops AES-NI ransomware before any harm is done:

Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.