The .aesir file extension virus is part of a big ransomware family. The generic name thereof is Locky. A few other specimens that represented this syndicate earlier include Zepto, Odin and Thor. The currently active Aesir breed applies the same combination of ciphers as its predecessors in order to lock down its victims’ important files. The changes made to the Trojan in the course of this release are mainly on the inside, and there are plenty of them.
The Locky ransomware spinoff called Aesir appeared in late November 2016. Dubbed this way after the extension it appends to one’s files, this version stands out from the pack regarding the way it performs data encryption. The previous editions used to obtain cryptographic keys by sending out specific requests to the Command and Control server. This activity allowed the conventional antimalware solutions and the stock Windows firewall to identify the abnormal web traffic as ransomware-specific and ultimately block the infection. Now, the latest Aesir variant is installed with a built-in public RSA key, so it doesn’t have to receive one from the C&C. This feature poses a layer of obfuscation that makes the Trojan undetectable by more security tools across the board.
When up and running inside a host computer, Aesir kicks off with finding the files that meet the “personal data” criterion most accurately. To that end, it uses a whitelist of extensions. If it locates a file with an extension matching any entry from this built-in database, the file gets encrypted. The ransomware uses RSA-2048 and AES-128 cryptographic algorithms to make data inaccessible. Every encrypted object assumes the shape of a 32-character string (consisting of numbers and character) followed by the .aesir extension. For the attack to be complete, the offending application creates ransom notes in all affected folders and on the desktop. These are named “-INSTRUCTION.html” and “-INSTRUCTION.bmp”. Their goal is to walk the victim throughout the paid decryption process. In particular, the user will have to visit a site called the “Locky Decryptor” and pay 0.5 Bitcoins to an address indicated on that resource. That’s the ransom, which is supposed to make the automatic decryptor downloadable. Instead of going this route, though, consider trying alternative recovery methods.
Use automatic solution to remove Aesir virus
The issue of Aesir compromising a PC can be effectively resolved if you use trusted security software. Along with the obvious ease of such removal, other benefits include thoroughness of virus detection and elimination from all system locations it might have affected. Be advised, however, that removing the ransomware and recovering the hijacked files are two different things. So please follow these steps just for a start:
1. Download and install Aesir removal tool. Run the application and select Start Computer Scan option in order to have your computer checked for ransomware, adware, viruses and other malicious objects.
2. When the scan is complete, it will return a list with results on what infections have been found. Go ahead and click Fix Threats to completely get rid of the detected items. The virus should now be gone from your PC.
Recover files encrypted by Aesir
The bitter truth about this ransomware assault is that there doesn’t exist a tool that can automatically decrypt your personal files, except perhaps the service endorsed by the virus publishers who spread this infection in the first place and have the right private key at their disposal. Asymmetric crypto algorithms are too strong to crack or brute-force, therefore users can only leverage alternate workarounds.
1. File recovery software
Some variants of ransom trojans create copies of their victims’ files, encrypt them and delete the original data. In this case, forensic utilities like Data Recovery Pro can restore the information. Download and install the program, launch it and select the scan option (Quick, Full, or Guided). Click Start Scan button, wait for the results and see what can be recovered.
2. Shadow Explorer
This method presupposes restoring the so-called “Shadow Copies” of locked files through the use of an app called Shadow Explorer. While this routine can be performed manually, the above-mentioned software automates the process all the way. Just download and install Shadow Explorer, run it, select the drive letter and date, and get down to recovery. Pick the folder or file of interest, right-click on it, select Export and follow further prompts. Note this option only works with System Restore enabled on the PC.
3. Previous Versions feature
The automatic option above has a manual counterpart, where you needn’t go any further than Windows itself. As long as System Restore has been active on the machine, users can right-click on a random file, select Properties, hit the tab that says Previous Versions, and click Copy or Restore, depending on the location that the file will be reinstated to. This is a slow-moving approach because you have to go through the above steps for every file, therefore using Shadow Explorer is a much more user-friendly experience.
This option is self-explanatory. In the event you have been backing up your information to external media or cloud resources, the damage from the Aesir attack will be minimal. Note that it’s a must to completely eradicate the ransomware before
downloading your intact files from the secure storage.
Make sure the Aesir virus has vanished
When it comes to persistent threats, double-checking never hurts. Therefore, it’s highly recommended to complete the remediation process with a final scan that will once again look for any potential bits and pieces of the infection.