Ransomware Research
AES-NI: April Edition Ransomware
AES-NI: April Edition is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on April 1, 2017, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: AES-NI : April Edition, SPECIAL VERSION: NSA EXPLOIT EDITION.
Quick Facts
- Ransomware Family
- AES-NI: April Edition
- First Seen
- April 1, 2017
- Known Aliases
- AES-NI : April EditionSPECIAL VERSION: NSA EXPLOIT EDITION
How AES-NI: April Edition Ransomware Works
Targeted Files
https://www.bleepingcomputer.com/forums/t/635140/aes-ni-ransomware-aes256-aes-ni-read-this-importanttxt-support-topic/page-12О
File Encryption Patterns
AES-NI: April Edition modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..aes_ni..aes_ni_0dayRansom Note and Payment Demands
After encrypting files, AES-NI: April Edition displays ransom notes demanding payment for file recovery:
!!! READ THIS - IMPORTANT !!!.txtRansom message:
notes/!!! READ THIS - IMPORTANT !!!.txt
Note locations:
EveryFolderTechnical Indicators
Associated Executable Files
The following executable files are associated with AES-NI: April Edition ransomware:
malware03AES-NI.exevirus.exeAES-NI.binRansom_HPSOREBRECT.SM.EXE.binAES-NI.exSorebrect Ransomware.exeleaks.7z
Elastio Can Help You
Don't let AES-NI: April Edition ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This AES-NI: April Edition ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like AES-NI: April Edition.
Last updated: July 30, 2025