Recommended Posts

It sound like you might have a Globe Imposter they call Amensia.  I could be wrong.  But there's a thread here about it.  There is no decryptor for it yet.  Just post there and see if anyone updates the thread.

Share this post

Link to post
Share on other sites


Thank you bruticus0Descryptor amnesia finds the key. Then the user window opens. I specify a disk with infected files, but the utility does not find anything. Files have the extension @decryptor2017

Looking for active infection ...

No active infection was found!

Share this post

Link to post
Share on other sites

Hi COnsu1,

We are currently looking into this ransomware as looks like there is a variant we don't have covered yet in our decrypter. I will let you know when we do.

A good backup procedure is very important and well worth the investment. You will also need to secure RDP with a strong password if you continue to use it, as this is how the criminals enter the system.



Share this post

Link to post
Share on other sites



I confirm that decryptor amnesia decrypts the files "@decrypt2017" after changing the file extension to "amnesia". But there is one big problem, the file names remain encrypted. Encripted files have a structure: First, there is 2 bytes that contains a size of the original file name (number of characters). Any file with 5 characters (for example 1.xls) will start with "2g" (2g0000000033466IzlLuYLIdSQA-lXF5). 6ch=2w, 7ch=2M, 8ch=30, 9ch=3g, 10ch=3w, 11ch=3M etc. Next comes 8 zeroes and 1 digit. This digit can be only just 0, 1, 2 or 3. After that we have alphanumeric characters: [0-9,a-z,A-Z,+,-], very likely base64 with minor difference, their lengh can be 21, 43, 64 or 85 (and may be larger), depending on size of original file name.

There are encrypted files from 1.xls to 10.xls. I hope this can help to create full decriptor or to find some way to decript file names.


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.