Remove Aesir Ransomware

I wrote this article to help you remove Aesir Ransomware. This Aesir Ransomware removal guide works for all Windows versions.

The creators of Locky ransomware continue to make modifications to their software. The consistency is also evident in the theme. The latest reincarnation appends the .aesir file extension to the names of the encrypted files. The hackers appear to be fond of the Norse mythology. Aesir ransomware changes the entire names of the encrypted files. The custom name is comprised of the unique 32-character ID, assigned to every victim. All items are given the same name. Aesir ransomware deploys the following formula to generate it: [8 characters]-[4 characters]-[4 characters]-[4 characters]-[12 characters].aesir.

Aesir ransomware targets different file types, like text documents, graphics, audios, videos, databases, scripts, compressed archives, zipped folders and others. The list of vulnerable file formats includes the following: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .asp, .aspx, .txt, .odt, .pdf, .rar, .zip, .dng, .iff, .exif, .crw, .js, .bdf, .wsc, .ini, .gif, .bmp, .png, .jpg, .jpeg, .psd, .csv, .raw, .bat, .lnk, .qic, .sct, .cer, .wps, .vb, .avi, .flv, .mpg, .mpeg, .mov, .mkv, .wmv, .ogg, .reg, .ai, .mdb, .db, .pfx, .php, .pak, .eml, .ps1, .m4a, .m3u, .sln, .rtf, .sql, .bkp, .vb, .xml, .bin, .mp3, .wav, .wma, .tif, .tiff, .mid, .flac, .eps, .cdr, .dat, .arw, .html..

The win-locker drops a copy of the ransom notes in every folder which contains encrypted files. The two notes are titled _[No.]-INSTRUCTION.html. In addition, the desktop background is changed to a custom wallpaper, titled -INSTRUCTION.bmp. Aesir ransomware makes sure the victims will notice the message. In order to have success, the rogue program needs people to cooperate. The notes inform victims what the win-locker has done and explain why. The objective of Aesir ransomware is to raise proceeds for its developers.

The hackers demand a ransom to restore users’ accessibility to their files. They state that the only way to perform a decryption is with a unique key. Aesir ransomware conducts asymmetric encryption. The win-locker utilizes a combination of AES-128 and RSA-2048 ciphers. The AES technology creates a public encryption key. The RSA cipher produces a unique decryption key, encrypts it and sends it to a command and control (C&C) server, operated by the cyber criminals.

Remove Aesir Ransomware
The Aesir Ransomware

The proprietors of Aesir ransomware demand a ransom of 3 bitcoins. Converted, the sum amounts to $2211.18 USD. This is a high price for accessing your rightfully owned data. The cyber criminals ask people to pay in bitcoins because this cryptocurrency is a secure payment method. The IP address and physical location of the recipient cannot be tracked down. A further measure the hackers have taken is to create a Tor browser page. People have to conduct the transaction by using this page. The Tor web browser has been developed for privacy reasons. It blocks outside parties from tracing the geographic location of the computer.

Along with appending modifications to the technical characteristics of Aesir ransomware, the hackers have moved on to a different spam campaign. Researchers have identified the emails, responsible for spreading the win-locker. Aesir ransomware is distributed through letters with the subject line “Spam mailout”. They misrepresent ISP Support. The messages tell users that their device has been involved in sending out spam. You will be directed to an attached .zip folder which is stated to contain a report on the matter. In reality, the folder contains a .js script which can download and install the win-locker upon execution. It will download an encrypted .dll file and decrypt it into the %Temp% folder on the C:\ hard drive. This file installs Aesir ransomware to the computer.

It is advised to avoid unconfirmed emails in general. When you are uncertain about the reliability of a message from your in-box, check the sender’s contacts. If he has written on behalf of a certain company or organization, he should have used an official email account. You can go to the public website of the entity in question and open the contacts page for reference.

Aesir Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Aesir Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Aesir Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.