How to remove Ai88 (Virus Removal Guide)

The “Ai88 virus” is a term used to identify a severe form of ransomware that infects a computer system, encrypts personal files on the infected computer, and demands a ransom using online currencies such as BitCoin to obtain a private generated key and decrypt and fully recover the files it encrypted. The infection is sometimes referred to as the Ai88 virus because it will contain text that says ‘Ai88’ somewhere on the interface.

Ai88

When Ai88 and similar ransomware first infects a computer system it will connect to a Command & Control server and send the victim’s unique identifier and the campaign ID. The Command & Control server will then send back various ransom notes and files, including instructions to allegedly decrypt files found in notes titled something similar to: RECOVERY_FILE.txt and HELP_TO_SAVE_FILES.txt.

Ai88 will then start to scan the infected computer’s hard drives for specific files and create a %AppData%\key.dat file that will be used store information about the decryption key, as well store all encrypted files. This ransomware encrypts a lot of personal files. The extensions that it targets are listed below:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

When the encryption has finished, the ransomware will change the desktop wallpaper and will continue to automatically open a ransom note file. The ransomware will also open the Ai88 program (application, interface) that contains ransom notes, links, and other information on how you can pay pay the ransom and decrypt your files. Information displayed by the application is listed below.

Ai88 virus Examples:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show encrypted files" Button to view a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated on this computer. To decrypt files you need to obtain the private key.
Ai88
All your important files are encrypted.
At the moment, the cost of private key for decrypting your files is 0.7 BTC ~=154 USD.
Yout Bitcoin address payment:
Try to decrypt your files here (working only with TorBrowser)

How does Ai88 virus get onto a computer?

Ai88 is known to be distributed through the Angler Exploit Kit. Malicious files that contain the exploit kit and spread Ai88 ransomware can be found in prohibited torrent files, malicious advertisements, and on websites that host malware. However, Ai88 ransomware in particular is usually distributed through fraudulent email message content and email attachments.

How to remove Ai88 (Removal Instructions)

We recommend that you write down the toll free number below in case you run into any issues or problems while removing this infection. Our techs will kindly assist you with any problems.

1-888-986-8411
if you need help give us a call

1. Download and install the free or full version of Malwarebytes Anti-Malware software. The full version enables real-time protection to block malware and unwanted programs from infecting your computer, while the free version is just a free scan and removal tool.

[button link=”https://store.malwarebytes.org/342/cookie?affiliate=23046&redirectto=http%3a%2f%2fdownloads.malwarebytes.org%2ffile%2fmbam%2f&redirecthash=79CD12ECAB939D32967B5D05C6C86E32″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#0015ff” hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”true”]Download Malwarebytes Free[/button][button link=”https://store.malwarebytes.org/342/?affiliate=23046&scope=checkout&cart=139724″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#0015ff” hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”true”]Buy Premium Now[/button]

2. Open the Malwarebytes Anti-Malware program.

Malwarebytes

3. Click the large Scan Now button or visit the “Scan” tab to manually run a scan.

Malwarebytes 2

4. Once the malware scan is complete, click the Remove Selected button and reboot your computer.

If you are still having issues with malware it is recommended to download and install a second opinion scanner such as HitmanPro by Surfright to eradicate existing malicious files and automatically repair corrupted settings.

User accounts

Ransomware usually infects 1 user account on Windows systems at a time. Here are some tips to remove ransomware by using different user accounts.

  1. Log into an account not affected by malware (with administrative rights) and perform a scan with reputable software to detect and remove malware.
  2. You can also delete the infected account.
  3. Other options include creating a new user account to remove malware if only 1 Window’s user account is present on the computer system.

Internet/network issues

Safe Mode With Networking can be used to access the Internet for updates, drivers, removal software, or other files if internet and network connectivity is compromised.