Current Page: Namosofts»Guides»How to remove Aesir ransomware
How to recover .aesir files and remove Locky/Aesir ransomware

The .aesir file extension virus is part of a big ransomware family. The generic name thereof is Locky. A few other specimens that represented this syndicate earlier include Zepto, Odin and Thor. The currently active Aesir breed applies the same combination of ciphers as its predecessors in order to lock down its victims’ important files. The changes made to the Trojan in the course of this release are mainly on the inside, and there are plenty of them.

The Locky ransomware spinoff called Aesir appeared in late November 2016. Dubbed this way after the extension it appends to one’s files, this version stands out from the pack regarding the way it performs data encryption. The previous editions used to obtain cryptographic keys by sending out specific requests to the Command and Control server. This activity allowed the conventional antimalware solutions and the stock Windows firewall to identify the abnormal web traffic as ransomware-specific and ultimately block the infection. Now, the latest Aesir variant is installed with a built-in public RSA key, so it doesn’t have to receive one from the C&C. This feature poses a layer of obfuscation that makes the Trojan undetectable by more security tools across the board.

Aesir ransom notes, warning desktop wallpaper and encrypted files

This perpetrating program ends up inside computers via a crafty social engineering scheme. A targeted user discovers a catchy email in their inbox that pretends to be a local representation offer, payment history, e-invoice, receipt or other subject that’s likely to draw anyone’s attention. The ZIP file attached to this email will typically contain a harmful JavaScript or VBScript file. It’s highly recommended to refrain from double-clicking on items like that, because the outcome may be disastrous. This script will covertly download all the Aesir ransomware components in the blink of an eye.

When up and running inside a host computer, Aesir kicks off with finding the files that meet the “personal data” criterion most accurately. To that end, it uses a whitelist of extensions. If it locates a file with an extension matching any entry from this built-in database, the file gets encrypted. The ransomware uses RSA-2048 and AES-128 cryptographic algorithms to make data inaccessible. Every encrypted object assumes the shape of a 32-character string (consisting of numbers and character) followed by the .aesir extension. For the attack to be complete, the offending application creates ransom notes in all affected folders and on the desktop. These are named “-INSTRUCTION.html” and “-INSTRUCTION.bmp”. Their goal is to walk the victim throughout the paid decryption process. In particular, the user will have to visit a site called the “Locky Decryptor” and pay 0.5 Bitcoins to an address indicated on that resource. That’s the ransom, which is supposed to make the automatic decryptor downloadable. Instead of going this route, though, consider trying alternative recovery methods.

Use automatic solution to remove Aesir virus

The issue of Aesir compromising a PC can be effectively resolved if you use trusted security software. Along with the obvious ease of such removal, other benefits include thoroughness of virus detection and elimination from all system locations it might have affected. Be advised, however, that removing the ransomware and recovering the hijacked files are two different things. So please follow these steps just for a start:

1. Download and install Aesir removal tool. Run the application and select Start Computer Scan option in order to have your computer checked for ransomware, adware, viruses and other malicious objects.

2. When the scan is complete, it will return a list with results on what infections have been found. Go ahead and click Fix Threats to completely get rid of the detected items. The virus should now be gone from your PC.

Recover files encrypted by Aesir

The bitter truth about this ransomware assault is that there doesn’t exist a tool that can automatically decrypt your personal files, except perhaps the service endorsed by the virus publishers who spread this infection in the first place and have the right private key at their disposal. Asymmetric crypto algorithms are too strong to crack or brute-force, therefore users can only leverage alternate workarounds.

1. File recovery software

Some variants of ransom trojans create copies of their victims’ files, encrypt them and delete the original data. In this case, forensic utilities like Data Recovery Pro can restore the information. Download and install the program, launch it and select the scan option (Quick, Full, or Guided). Click Start Scan button, wait for the results and see what can be recovered.

Data Recovery Pro

2. Shadow Explorer

This method presupposes restoring the so-called “Shadow Copies” of locked files through the use of an app called Shadow Explorer. While this routine can be performed manually, the above-mentioned software automates the process all the way. Just download and install Shadow Explorer, run it, select the drive letter and date, and get down to recovery. Pick the folder or file of interest, right-click on it, select Export and follow further prompts. Note this option only works with System Restore enabled on the PC.


3. Previous Versions feature

The automatic option above has a manual counterpart, where you needn’t go any further than Windows itself. As long as System Restore has been active on the machine, users can right-click on a random file, select Properties, hit the tab that says Previous Versions, and click Copy or Restore, depending on the location that the file will be reinstated to. This is a slow-moving approach because you have to go through the above steps for every file, therefore using Shadow Explorer is a much more user-friendly experience.

Previous Versions

4. Backups

This option is self-explanatory. In the event you have been backing up your information to external media or cloud resources, the damage from the Aesir attack will be minimal. Note that it’s a must to completely eradicate the ransomware before downloading your intact files from the secure storage.

Make sure the Aesir virus has vanished

When it comes to persistent threats, double-checking never hurts. Therefore, it’s highly recommended to complete the remediation process with a final scan that will once again look for any potential bits and pieces of the infection.


We provide you with warm and professional services, and the emails you have sent to us will be replied within one workday. No matter what problem you have met.
Customer service:

About Namosofts

more »
Namosofts is a professional software developer in the development of applications for data recovery. We have extended our business worldwide, consistently dedicated to satisfy the customers with good products and services.