AES-NI Ransomware may be Using Recently Disclosed NSA Exploits

Rumors are circulating on the internet regarding quite a recent type of ransomware making use of the Shadow Brokers’ exploits. Albeit security researchers are not entirely certain these claims are legitimate, it is a very troublesome development to consider. AES-NI ransomware has been around since late 2016, but it appears a new version may be circulating as we speak.

AES-NI Ransomware Should Not be Underestimated

Ever since The Shadow Brokers released their latest batch of alleged NSA exploits, the world has been waiting for someone to make use of them. Although that wait may not yet be over just yet, the developer of AES-NI ransomware claims he has found a way to integrate some tools into his creation. That is quite a bold statement, especially when considering there is very little evidence to back up these claims as of right now.

ETERNALBLUE is the exploit released by The Shadow Brokers of which the AES-NI ransomware is talking right now. To be more specific, this alleged NSA exploit allows hackers to target the SMBv2 protocol and infect Windows servers around the world. Once this process is complete, it could theoretically allow a ransomware developer to install a ransomware payload on these servers for further distribution and control. The only evidence to back up these claims is this screenshot, which does not validate the claims by any means.

Even if these claims are not true in the end, AES-NI ransomware should not be overlooked by any means. Despite this malware being around since late 2016, it continues to cause a massive wake of destruction as we speak. In fact, it appears the number of daily detections related to this particular ransomware strain is only increasing as we speak, which is anything but positive news at this stage.

It is certainly true there have been more reported of AES-NI ransomware ever since The Shadow Brokers released their latest Windows exploits. Then again, this can still be classified as mere coincidence at this stage. So far, there is no valid reason to believe any of the developer’s claims, although his creation is doing quite well on its own regardless of using NSA exploits. If ransomware developers were to successfully incorporate NSA exploits, things will go from bad to incredibly worse very fast, though.

So far, it appears the AES-Ni ransomware strain, researchers have identified makes use of the RDP protocol, rather than using SMB or SMBv2. Then again, it is still possible the developer has created an updated version that has yet to be analyzed by security experts at this stage. We can only hope there is no link to AES-NI and MSA hacking tools right now, as that would open up a whole new can of worms the world does not need right now.

As one would expect, AES-Ni is one of the many ransomware strains asking for a bitcoin payment. As of right now the sum to get rid of this malware sits at around US$1,800 worth of BTC. That is quite a steep amount, to say the least. It is interesting to note the developer claims to restore file access free of charge if the victim is living in one of the former Soviet states. Sadly, there is no known way to decrypt AES-NI without paying the high ransom.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.