Jump to content

New variant of Amnesia?

Recommended Posts

Hi all,

My computer was hit with a ransomware that was identified by id-ransomware as Amnesia2 but neither decrypter is working 100%.  The Amnesia decrypter did not find a decryption key (tried it just in case).  The Amnesia 2 decrypter works occasionally, but not for the files I am trying to decrypt and restore - of course!  I figured I would check and see if anyone else has run into this variant and can point me in the right direction.  

The file extension for the encrypted is .frogo




Here is the ransom note:




Your personal id

Your documents, photos, databases, save games and other important data were encrypted.
Data recovery requires a decryptor.

To receive the decryptor, you should send an email to the email address [email protected]
In the letter, enter your personal ID (See at the beginning of this document).

If I can not connect through the mail, I can not
 * Register on the site http://bitmsg.me (Online sending service Bitmessage)
 * Write an email to BM-2cVYzZcdhqApxNtp9te4N5jKHraYAmG7vv With your e-mail and
Personal id

Next, you pay the cost of the decryptor.In the reply letter you will receive the address
Bitcoin-Wallet, To which it is necessary to transfer money in the amount of
1 bitcoin.

If you do not have bitocoins 
 * Create a wallet Bitcoin: https://blockchain.info/ru/wallet/new
 * Get Crypto Currency Bitcoin:
  https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard)
  https://en.bitcoin.it/wiki/Bitcoin (What is bitcoin)
 * Send 1 BTC To the wallet 1HyasSC2VifTZo7YkUNn33udnWXw3Ffq7T

When the money transfer is confirmed, you will receive a file decryption for your computer.
After starting the decryption program all your files will be restored.

 * Do not try to uninstall the program or run antivirus software
 * Attempts to self-decrypt the files will lead to the loss of your data
 * Decoders of other users are incompatible with your data, since each user
Unique encryption key








Link to comment
Share on other sites

It seems like the images and PDFs decrypt ok, but my SQL and C# code files are not being decrypted.  I am restoring most from backups, but just trying to get those changes I made in the past few days captured as well if possible.  I was originally thinking the small file size was the reason why they were not decrypting, but I successfully decrypted a few 1 and 2KB image files without any issues.  

AAA - What is eating up SQL.sql.frogo

Link to comment
Share on other sites

Thank you for the information, Fabian.  Do you have any pointers how we can decrypt those?  Is there any source code we could use to do the brute force and look for specific keywords in the decrypted text?  i.e. SELECT, INSERT, or UPDATE for SQL files and a few keywords for the cs files?  Unfortunately our "good stuff" is mostly in text-based files.  Thanks again for your response!

Link to comment
Share on other sites

Hi Fabian, I'm thinking most of the SQL files should contain either /* or -- in the first 16 bytes.  Good chance SELECT would be in there too if that helps you any.  The C# files I've seen start with using, namespace, or //.


Edited by VBGeek2000
Added c# pieces
Link to comment
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...