AESRT
Malware⚠️ Overview
AESRT is a ransomware family first documented in November 2019 by the Fortinet FortiGuard Labs threat research team. It is classified as a file-encrypting ransomware that appends the .AESRT extension to encrypted files. The malware is believed to be operated by a financially motivated threat group, though no specific named group has been publicly attributed. It targets both individual consumers and small-to-medium businesses, with initial distribution observed through malicious email attachments and exploit kits.
🔧 Technical Capabilities
AESRT uses the AES-256 symmetric encryption algorithm combined with RSA-2048 asymmetric encryption to lock victim files. The ransomware employs a custom key-generation routine that derives the encryption key from a hardcoded string and a per-machine identifier, making decryption without the attacker's private key infeasible. It propagates via phishing emails containing malicious VBScript or JavaScript attachments that download the loader from compromised websites. Once executed, AESRT enumerates mapped network drives and shared folders, encrypting files on those remote locations to maximize damage. Persistence is achieved by adding a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with the name Windows Security Update. It evades detection by checking for sandbox environments, such as the presence of debugging tools or virtual machine artifacts, and terminating processes that may interfere with encryption, including backup and database services. The ransomware deletes Volume Shadow Copies using vssadmin.exe and disables Windows Recovery features.
📜 History & Notable Incidents
The first major campaign was observed in early December 2019, primarily targeting users in South Korea and the United States via fake shipping notification emails. In February 2020, the operators introduced version 2.0 with improved encryption speed and added support for AES-NI hardware acceleration. No known CVEs are directly associated with AESRT, as it relies on social engineering rather than exploiting software vulnerabilities. No law enforcement actions or arrests have been publicly reported against the AESRT operators.
🔍 Detection Indicators
Fortinet has published SHA-256 hashes for early samples, including f3c9a2b1c4e5d6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (example hash placeholder; actual IOCs are available in Fortinet's advisory). Behavioral indicators include the creation of the file extension .AESRT on encrypted documents and images, and the dropping of a ransom note named _HOW_TO_RECOVER_FILES_.txt in every encrypted directory. Network indicators consist of outbound HTTPS connections to IP addresses in the 185.xxx.xxx.xxx range (Russian hosting providers), with the User-Agent string Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) to mimic legitimate traffic.
☠️ Risk & Impact
AESRT causes irreversible data loss if victims do not have offline backups, as decryption tools are not publicly available. Financial losses are driven by ransom demands typically ranging from $500 to $2,500 in Bitcoin per infected machine. The affected sectors include healthcare, education, and local government, based on incident reports shared on platforms like ID-Ransomware.
🛡️ Mitigation
Recommended defensive measures include implementing strict email filtering to block malicious attachments, enabling Group Policy to restrict VBScript and JavaScript execution for non-administrative users, and maintaining offline, immutable backups. Fortinet provides YARA rules and Snort signatures for network-level detection; Microsoft Defender for Endpoint can also block AESRT via its real-time protection module (MITRE ATT&CK IDs: T1486 for Data Encrypted for Impact, T1059.005 for VBScript execution, and T1490 for Inhibit System Recovery).
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.