Jump to content

New Amnesia

Mr.47

By Mr.47,
in Help, my files are encrypted!

 Share

Recommended Posts

bruticus0

bruticus0

Posted
Posted

I can't d/l links since I'm just a user.  So I don't know your file's extensions.

The updated decryptor is for these files extensions:

.01, .02, [email protected]_2017, .amnesia, .CRYPTOBOSS, .[[email protected]].SON, .[[email protected]].LOCKED

The detailed usage of the Amnesia Decryptor is here .

The thread for Amnesia at bleepingcomputer is here, where it looks like most everyone has gotten their files back.  Looks like those with the .02 extension might have to be renamed to .amnesia to get it to work.  But that was before the decryptor update.

 

You need to use an original file and it's encrypted counterpart to get the key for your system.  If excel is encrypted, download the same version and use that as your file pair.  Program Readmes, PNGs, and favorites rarely change even across versions.  The original doesn't have to come from your own system, just has to be the very same file unencrypted.  

Link to comment
Share on other sites
bruticus0

bruticus0

Posted
Posted

You're gonna have to give us more to work with than that.

The amnesia decrytor seems to work for everyone that's tried it.  So let's start from square one.

What's your encrypted file extension?  

Did you go to the RansomID website here and make sure what kind of ransomware you have.

Upload a file pair.  A "File Pair" is an unencrypted file, and the same file after it has been encrypted.  If your Microsoft Excel is encrypted, download the same version of Excel from the internet and use that.  

Link to comment
Share on other sites
Fritz

Fritz

Posted
Posted

Hi all,

I've got infected with the .amnesia ransomware. Also it is positively identified as the Amnesia Ransomware by the Ransom ID website. Also I have the original and encrypted files, but the decryptor is not working. I've tried a few files, but

stil no luck. 

Attached some sample files. Any solution yet?

Many thanks.

COR39_CAB Foods (Pty) Ltd - 15.07.2014 Final.tif

d00000000009Hw7KeP8T-iNEjE3+ZCUZ4k+8SLu3FdzsLuv5gGAea7WdgJNKDa1JNA0omTmHcLxXBxBAYH7Yh4cYbUT7wOBo.amnesia

70000000003XqDYIu1r3MUqU37tygXaalMjY9fTa5FmF3SpDWR4FWM.amnesia

4w000000003q+lytC77sYWx+9u36PqkB1VQw+kJexdrj0JBMQATgZg.amnesia

HR Manual.docx

HR Manual Cover Page.jpg

Link to comment
Share on other sites
Daniel Ekeroth

Daniel Ekeroth

Posted
Posted

Our server was also struck over the weekend by this new version of Amnesia. Have tried the decryptor without success. Attaching sample of file recovered from backup and it's encrypted version.

Any help you can provide on this is greatly appreciated as our company's software as a service is now completely still due to KLS Backup creating a corrupt archive (guess I only have myself to blame though for not checking the "Check archive on completion" flag.)

If you need more files I have about 200 000 of them ^^

Cheers!

3M000000000XKK5JstF+7IxMHTFnIUl2.amnesia

convert.DBF

Link to comment
Share on other sites
Sarah W

Sarah W

Posted
Posted

We just released a new decrypter for this variant, you can find it here.

Please make sure to secure RDP, install all Windows updates and make backups of files (disconnected from the system, hopefully).

If you appreciate the work we do and need a security solution that can protect against ransomware; we have our own security software Emsisoft Anti-Malware.

Regards,

Sarah W

Link to comment
Share on other sites
Daniel Ekeroth

Daniel Ekeroth

Posted
Posted
2 hours ago, Sarah W said:

We just released a new decrypter for this variant, you can find it here.

Please make sure to secure RDP, install all Windows updates and make backups of files (disconnected from the system, hopefully).

If you appreciate the work we do and need a security solution that can protect against ransomware; we have our own security software Emsisoft Anti-Malware.

Regards,

Sarah W

Thank you! I downloaded it and will test - turns out for the backup archives it worked by just renaming the extension to .zip again and do a repair in WinRAR - all good with getting things back in order!

Link to comment
Share on other sites
Fritz

Fritz

Posted
Posted

Thank you Sarah W and your team. I have managed to decrypt some files successfully with the new decryptor. I'm going to decrypt some folders this weekend, but so far all seems to be working!

I will be in contact next week with your security team @ Emsisoft for advise on purchasing  and implementing your products for my corporate clients here in South Africa.

Many thanks!

Link to comment
Share on other sites
ITHell

ITHell

Posted
Posted

Hi, I have been hit with the Amnesia virus but the decryptor does not seem to work. I have used the online identifier and get the result: 

 This ransomware is decryptable!

Identified by

  • custom_rule: Encrypted size marker [0x00 - 0x08] 0x0400100000000000

 

Click here for more information about Amnesia2

However when I use the amnesia2 tool it says it cannot find the key. it does not even try the error comes back after 1 second. The email on my ransom note is [email protected] - not sure if it is a new version, the infection happened 3 days ago. I am trying to decrypt the files on another PC rather than the infected one. Don't know if that matters.

Any help would be great. 

Thanks.

Link to comment
Share on other sites
ITHell

ITHell

Posted
Posted
19 hours ago, ITHell said:

Hi, I have been hit with the Amnesia virus but the decryptor does not seem to work. I have used the online identifier and get the result: 

 This ransomware is decryptable!

Identified by

  • custom_rule: Encrypted size marker [0x00 - 0x08] 0x0400100000000000

 

Click here for more information about Amnesia2

However when I use the amnesia2 tool it says it cannot find the key. it does not even try the error comes back after 1 second. The email on my ransom note is [email protected] - not sure if it is a new version, the infection happened 3 days ago. I am trying to decrypt the files on another PC rather than the infected one. Don't know if that matters.

Any help would be great. 

Thanks.

The Amnesia2 decryption tool is working fine. I had version 0.41 that was not working however the latest version 0.43 is working. 

Link to comment
Share on other sites
DrJekyll_XYZ

DrJekyll_XYZ

Posted
Posted

Hi All,

We have been hit by ransomware. I do not have any original files to pair up with. The ransomware is detected as Amnesia2 however the program consistently crashes on me from 2 different machines. It infected a server and also targeted the backups on the NAS. I get a read access error flagged up on one machine and on the other the program just closes after 5 minutes without an error. Im at a loss, Im going to take a copy of the server and the NAS and put them into a test environment. If anybody needs anything from me for this just let me know.

Any assistance is greatly appreciated

6g000000000wuHHXeap9yoTc8IInxXjM8IJj4+BrESY-LXTIhJTE+M.amnesia

HOW TO RECOVER ENCRYPTED FILES.TXT

Capture3.PNG

Capture4.PNG

Link to comment
Share on other sites
Naad

Naad

Posted
Posted

Hi All,

We have been hit by ransomware. The ransomware is detected as Amnesia2 on id-ransomware. Tried the Amnesia2 decryptor but the program keeps crashing. Even tried to rename some files to have .amnesia extension however the program consistently crashes on me from 2 different machines. It infected a server and also the backups. Any assistance is greatly appreciated

6g000[email protected]gmx.us

8M000000002nHwaw1k+bLX4aqw[email protected]gmx.us

HOW TO RECOVER ENCRYPTED FILES

Link to comment
Share on other sites
Fritz

Fritz

Posted
Posted

Hi All,

I had no problems with the "previous" version of decryptor. I was also infected with the amnesia2 ransomware and are busy decrypting files, thanks to Emsisoft team. Also remember decrypting is a long process.This is what I have done and hopefully it may help:

- Copied the encryption files on external harddrive.

- Copied the decryptor file on a "clean" pc on desktop.

- Right click on decryptor icon and under properties I checked the following "boxes": - Run as administrator & Compatibility mode: Windows 7

- Closed all programs as decryptor will use 100% cpu resources.

 

Regards,

 

Link to comment
Share on other sites
ITHell

ITHell

Posted
Posted
26 minutes ago, Fabian Wosar said:

Glad it is working now :)

I am using the latest amnesia2 tool to decrypt a lot of data (25k files). Probably 90-95% is doing fine but there are some files that the tool just skips past. Its like it does not recognize they are encrypted by the malware and cannot see them. If I put some of these files in a folder the program just comes up "finished". It seems to happen with different extensions too. I have seen it skip PDFs, Jpegs and XLS files. Would it be helpful for me to send some of these to you to help improve the tool?

Thanks for your help.  

Link to comment
Share on other sites
Mark.Redhead

Mark.Redhead

Posted
Posted

we have been hit by the Amnesia virus. The email on the ransom note is [email protected].

I have tried using the de-encryption tool version 1.0.0.45. When I drag the 2 files over it immediately goes through to the Licence terms page, if I carry on through to try to decrypt it just hangs on the first file it finds.

I have tried various sets of files and get the same result.

I would appreciate any help possible.

I have also tried older versions decryptor but none work.

thanks

 

 

Link to comment
Share on other sites
NiglKam

NiglKam

Posted
Posted

Hello! A week ago our server was sifrovane. The majority of the files we managed to decipher. However, another 400 files are encrypted. An example of the Encrypted and the original file in the attached files. https://id-ransomware.malwarehunterteam.com recognize as Amnesia. However, Amnesia and Decrypter for Decrypter for Amnesia2 not help.

Please help to decrypt files.

NotWorked.jpg

5w000000003Zo9ppJkzGhjVY0Rjnkvl-QZXiQ5u3c3MI+VF5kr04+0.[[email protected]]

6w000000001XOuXH1aFZCNEEfbv6Nmf0BBJkZd4dfLHTK0Yr+gJZ2g.[[email protected]]

БДР факт 2013.xlsx

Список участников.docx

Link to comment
Share on other sites
TechSup11

TechSup11

Posted
Posted (edited)

ID-Ransomware identified this variant as Amnesia2. Ransom note also looks like Amnesia2. None of the files are registered as Amnesia2 by the Decrypter. currently tested on 1.0.0.46

Sample files and ransom note:  https://www.sendspace.com/filegroup/F%2F8DiwJfaYUI6sQYeowRuy9ELSFy8hQf
Matching pair - https://www.sendspace.com/filegroup/%2FAdVpeaoBYWdGdbwHkf33g

Edited by TechSup11
Found a matching pair. Thought it might assist in recovery
Link to comment
Share on other sites
Demonslay335

Demonslay335

Posted
Posted
2 hours ago, TechSup11 said:

ID-Ransomware identified this variant as Amnesia2. Ransom note also looks like Amnesia2. None of the files are registered as Amnesia2 by the Decrypter. currently tested on 1.0.0.46

Sample files and ransom note:  https://www.sendspace.com/filegroup/F%2F8DiwJfaYUI6sQYeowRuy9ELSFy8hQf
Matching pair - https://www.sendspace.com/filegroup/%2FAdVpeaoBYWdGdbwHkf33g

I'm afraid the Amnesia2 identification is false-positive due to the email address. It does not match the hex pattern, and is thus not encrypted by Amnesia2 (or Amnesia1 or any other Globe variant). The ransom note pattern is actually GlobeImposter 2.0, you can tell by the ID being hex with spaces. It is not decryptable.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/24/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...