Recommended Posts

It sound like you might have a Globe Imposter they call Amensia.  I could be wrong.  But there's a thread here about it.  There is no decryptor for it yet.  Just post there and see if anyone updates the thread.

Share this post


Link to post
Share on other sites

 

Thank you bruticus0Descryptor amnesia finds the key. Then the user window opens. I specify a disk with infected files, but the utility does not find anything. Files have the extension @decryptor2017

Looking for active infection ...

No active infection was found!

Share this post


Link to post
Share on other sites

Hi COnsu1,

We are currently looking into this ransomware as looks like there is a variant we don't have covered yet in our decrypter. I will let you know when we do.

A good backup procedure is very important and well worth the investment. You will also need to secure RDP with a strong password if you continue to use it, as this is how the criminals enter the system.

Regards,

Sarah

Share this post


Link to post
Share on other sites

 

 

I confirm that decryptor amnesia decrypts the files "@decrypt2017" after changing the file extension to "amnesia". But there is one big problem, the file names remain encrypted. Encripted files have a structure: First, there is 2 bytes that contains a size of the original file name (number of characters). Any file with 5 characters (for example 1.xls) will start with "2g" (2g0000000033466IzlLuYLIdSQA-lXF5). 6ch=2w, 7ch=2M, 8ch=30, 9ch=3g, 10ch=3w, 11ch=3M etc. Next comes 8 zeroes and 1 digit. This digit can be only just 0, 1, 2 or 3. After that we have alphanumeric characters: [0-9,a-z,A-Z,+,-], very likely base64 with minor difference, their lengh can be 21, 43, 64 or 85 (and may be larger), depending on size of original file name.

There are encrypted files from 1.xls to 10.xls. I hope this can help to create full decriptor or to find some way to decript file names.

2g0000000033466IzlLuYLIdSQA-lXF5
2g000000003knB3ZD0AtL7V0FnZzYITo
2g000000003rb4m8uGUY-FZAJlVIaHNq
2g000000003JGcqLy9MwTsGp090z9ucg
2g000000001dPt7ReOtKWusgCaTpH-UY
2g0000000000FrPUJ4OKczNyo3kD3m7x
2g000000002vLDsibAn1LGzwKOQsQ3tN
2g0000000031pVRAQXc6DisAf+psHdPr
2g000000002AACr76XpohO116xnAodrm
2w000000001cVyr1Dcni29HfX3ckD5qq

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.