VBGeek2000 Posted June 20, 2017 Report Share Posted June 20, 2017 Hi all, My computer was hit with a ransomware that was identified by id-ransomware as Amnesia2 but neither decrypter is working 100%. The Amnesia decrypter did not find a decryption key (tried it just in case). The Amnesia 2 decrypter works occasionally, but not for the files I am trying to decrypt and restore - of course! I figured I would check and see if anyone else has run into this variant and can point me in the right direction. The file extension for the encrypted is .frogo Here is the ransom note: ==============================================================FROGO_RANSOMWARE=================================================================== YOUR FILES ENCRYPTED! Your personal id 1174186390780917641032327097627856237578500929283815219456013758758927168289444920479202836657330082 9566506166161016859825612461828230569094136468831173897385309184451908416056513772939711439721208552 9562696580477363698298921127264300366179440098472030440518906035626510644644989358758098111145733058 4146098861168858735046782413706884422858926634724438391831892004963865745858208825952332761186902384 1748349348966063642524553634764086264563826582963792014110738961905187504864939887692935469918453710 6280608106202673195689172397164589620362663860953019774945154881081119679252788442629960405523459252 01828133073258904 Your documents, photos, databases, save games and other important data were encrypted. Data recovery requires a decryptor. To receive the decryptor, you should send an email to the email address [email protected] In the letter, enter your personal ID (See at the beginning of this document). If I can not connect through the mail, I can not * Register on the site http://bitmsg.me (Online sending service Bitmessage) * Write an email to BM-2cVYzZcdhqApxNtp9te4N5jKHraYAmG7vv With your e-mail and Personal id Next, you pay the cost of the decryptor.In the reply letter you will receive the address Bitcoin-Wallet, To which it is necessary to transfer money in the amount of 1 bitcoin. If you do not have bitocoins * Create a wallet Bitcoin: https://blockchain.info/ru/wallet/new * Get Crypto Currency Bitcoin: https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard) https://en.bitcoin.it/wiki/Bitcoin (What is bitcoin) * Send 1 BTC To the wallet 1HyasSC2VifTZo7YkUNn33udnWXw3Ffq7T When the money transfer is confirmed, you will receive a file decryption for your computer. After starting the decryption program all your files will be restored. Attention! * Do not try to uninstall the program or run antivirus software * Attempts to self-decrypt the files will lead to the loss of your data * Decoders of other users are incompatible with your data, since each user Unique encryption key ==================================================================================================== Link to comment Share on other sites More sharing options...
VBGeek2000 Posted June 20, 2017 Author Report Share Posted June 20, 2017 It seems like the images and PDFs decrypt ok, but my SQL and C# code files are not being decrypted. I am restoring most from backups, but just trying to get those changes I made in the past few days captured as well if possible. I was originally thinking the small file size was the reason why they were not decrypting, but I successfully decrypted a few 1 and 2KB image files without any issues. AAA - What is eating up SQL.sql.frogo Link to comment Share on other sites More sharing options...
Fabian Wosar Posted June 20, 2017 Report Share Posted June 20, 2017 Text-based formats lack unique identifiers within their first 16 bytes to uniquely identify them as such. Therefore, the decrypter can't process them properly without file name encryption being present. Link to comment Share on other sites More sharing options...
VBGeek2000 Posted June 20, 2017 Author Report Share Posted June 20, 2017 Thank you for the information, Fabian. Do you have any pointers how we can decrypt those? Is there any source code we could use to do the brute force and look for specific keywords in the decrypted text? i.e. SELECT, INSERT, or UPDATE for SQL files and a few keywords for the cs files? Unfortunately our "good stuff" is mostly in text-based files. Thanks again for your response! Link to comment Share on other sites More sharing options...
Fabian Wosar Posted June 20, 2017 Report Share Posted June 20, 2017 I will see if I can do something for you tomorrow. For Unicode text files (C#) I may be able to identify the BOM. Link to comment Share on other sites More sharing options...
VBGeek2000 Posted June 21, 2017 Author Report Share Posted June 21, 2017 (edited) Hi Fabian, I'm thinking most of the SQL files should contain either /* or -- in the first 16 bytes. Good chance SELECT would be in there too if that helps you any. The C# files I've seen start with using, namespace, or //. Thanks! Edited June 21, 2017 by VBGeek2000 Added c# pieces Link to comment Share on other sites More sharing options...
Fabian Wosar Posted June 23, 2017 Report Share Posted June 23, 2017 I released a new version of the decrypter. It now checks for the presence of BOM as well as whether or not the first 28 bytes are all <= 127 in an attempt to detect text based formats. Link to comment Share on other sites More sharing options...
VBGeek2000 Posted June 26, 2017 Author Report Share Posted June 26, 2017 Good morning Fabian. The new version seems to be working great for decrypting the text-based files in addition to the other files. Thanks so much for your patience and help getting these last few files decrypted! Link to comment Share on other sites More sharing options...
hooky Posted July 5, 2017 Report Share Posted July 5, 2017 Please help decrypt_Amnesia2.exe is not working Status: Couldn't find the correct key. Documents: 3M000000003Xo9sx3r4+gMZhsMQJcuHL.frogo 4M0000000011R-r45AITVKnVecdoZTpCAH1iL2pkOzhYamKWqyAM6M.frogo 5g000000001CmozAWZmSkNf1aELODpr3DY0-+-D26YPcXBAHJ0Ntjw.frogo Link to comment Share on other sites More sharing options...
Recommended Posts