HowardM

Infected with Amnesia2 Ransomware, and decrypt tool will not load

By HowardM, in Ransomware First Aid

Recommended Posts

HowardM    0

HowardM
Posted

I have gone to id-ransomware.malwarehunterteam.com and identified that the computer (a Windows Server 2003 Small Business Server) is infected with the Amnesia2 Ransomware.

I have downloaded your Amnesia2 decryption tool; however, when I double click the executable ... the license terms window briefly flashes on the screen, the computer beeps, and the license terms screen is gone and there is nothing for me to click on or do.  I have tried this several times with the same results.  Including, I have rebooted the server and tried it, with the same results.

Please help me get your decryption tool to work on this machine.

 

Thank you,
Howard

Share this post

Link to post
Share on other sites

Fabian Wosar    387

Fabian Wosar
Posted

Your system is probably still infected by malware. Some ransomware families added some "anti-decrypter" functionality and try to kill our decrypters in a futile attempt to prevent their victims from getting back their files. I suggest to follow the steps outlined here:

https://support.emsisoft.com/announcement/2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

EEK will not run on Windows 2003. So you can skip that step. After the system was cleaned from the infections, the decrypter should work as expected.

Share this post

Link to post
Share on other sites

Fabian Wosar    387

Fabian Wosar
Posted

Then you didn't check the thread I linked. The "Let's get started:" bit being the most important one. It consists of three major steps, two of which you can still do even with EEK not working on Windows 2003.

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    I did check the thread you linked, and read it several times before replying the last time.  The first step of the Let's get started" was to run the EEK tool; so I wasn't sure, since that was the first step, if it meant I should or could continue on to the next 2 steps.  I am assuming by your reply that you want me to run the other tool and upload the log files to this thread.

    Thank you for your help,
    Howard.

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Fabian,

    After my most recent post (uploading the log files from the FRST), I noticed your post about creating a new thread.  I'm not sure I understand why you want me to create a new thread? ... The problem I am having is decrypting the ransomware.

    Share this post

    Link to post
    Share on other sites

    Fabian Wosar    387

    Fabian Wosar
    Posted

    I don't deal with malware removal. We have a dedicated team for that. The reason why those are treated in a different section of a forum is that for privacy reasons we apply stronger restrictions when it comes to downloading files there. These logs can contain a lot of private information, so having them in less restricted areas of the forum is a bad idea.

    In either case, I have split out your logs into a dedicated thread so one of the malware removal guys can take care of it. You can find the topic here:

     

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    I went through several steps as per Sarah's instructions, and the Amnesia2 decrypter program goes further and gets to the main screen, but still closes and will not run.  It's been over an hour since her last reply.  Can I expect to hear from someone soon?

    Thank you,
    Howard.

    Share this post

    Link to post
    Share on other sites

    Fabian Wosar    387

    Fabian Wosar
    Posted

    Yes. Please understand that it is weekend and that people may be living in different timezones than you. It is dinner time in most European countries. In general, we try to answer within 24 hours.

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    Thank you for the update.  I am very appreciative for all the help, and do completely understand.  I just wasn't sure what happened, because Sarah and I were messaging back and forth (minutes apart) and then I didn't hear back.  I am of course anxious to get this issue resolved, but again I am so appreciative for yours and Sarah's help, and hopeful that your Amnesia2 decrypter will run successfully, once we can get passed whatever is stopping it from running.

    Thank you again,
    Howard.

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    Thanks again for your help the other day, and remotely logging into the server via TeamViewer.  As per your suggestion, I did run the Decrypter from one of the workstations.

    The Amnesia2 Decrypter has been running for several days (and is still running).  On a happy note, several of the critical data files in the company's main program have successfully been decrypted.  There is a specific data file, called PO.dat, that was either some how skipped or was unsuccessful.  I have tried to copy the "PO.dat.amnesia" file to another directory and run the decrypter from another workstation on the network, and the following happens:  I am able to open the decrypter program on the workstation, select the new folder with just that file in it, and when I click "Decrypt" on the Amnesia2 Decrypter program it almost immediately comes back "Finished!" in the results window without anything else being displayed (no file names or anything else) in the log.  And then when I go to that folder, the file name is still "PO.dat.amnesia" with no new file.

    Any suggestions or ideas of why it appears that the decrypter is not evening trying to decrypt this file (PO.DAT.amnesia)?  ... I should also mention that as a test, I also copied a file (HISTORY.DAT.amnesia) that had already successfully been decrypted, into the same new directory and ran the decrypter from this same workstation on that same folder ... and the decrypter showed that it was working on decrypting the "HISTORY.DAT" file in the results screen.

    Regards,
    Howard.

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    I'm just following up on my previous post, realizing it was over the weekend.  I'm just hoping to get some guidance some time Monday morning.  As mentioned in my previous post, the PO.DAT file (currently PO.DAT.amnesia), is one of the last critical data files we are hoping to get decrypted.  By the way, The Amnesia2 decrypter is still running, so my client is still partially down (been down since the the ransomware attach on 6/28/17).  I was able to get them partially back up and running at the end of this past week with some of the data already decrypted; however, this PO.DAT file is critical to their business operation at the moment.  Really hoping to get your (your company's) assistance with this particular file.

    We are so grateful for all your help already, and thank you again for looking into what we hope to be the last piece to assisting us in getting the system back to a state in which we can then continue on the road to getting back to full functionality.

    Thank you,
    Howard.

     

    Share this post

    Link to post
    Share on other sites

    Fabian Wosar    387

    Fabian Wosar
    Posted

    Can you get me an unencrypted file (can be empty) of the same format or can you tell me which application created it so I can look up format specifications to see if I can teach the decrypter to recognise said format?

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    The file PO.DAT, that we are trying to decrypt, holds purchase order data as you might assume by the name (PO.DAT).  It is one of many data files for an old version (ver 6.51c) of a Point of Sale software called Retail Pro.  I believe that this old version of the actual Retail Pro program was written in Turbo Pascal.

    I'm not sure if this will also help you at all, but there is also an "Archived Purchase Order" file that Retail Pro has, which did successfully decrypt.  For your reference I have attached both the encrypted version of the archived PO file (POA.DAT.amnesia) and the decrypted version of the file (POA.DAT).

    Regards,
    Howard.

    POA.DAT

    POA.DAT.amnesia

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    Just saw your post right after I sent you my last post.

    Thank you ... I will try to put the file in the program (after renaming it) and see if it is readable/usable ... Thank you again!

    Regards
    Howard.

    Share this post

    Link to post
    Share on other sites

    HowardM    0

    HowardM
    Posted

    Hi Fabian,

    You were 100% right ... I renamed the PO.DAT.amnesia file to PO.DAT and it worked perfectly in the program.

    Can't thank you enough for all your help.  You and your company have been incredible through out this entire process.  I will be recommending the Emsisoft company to all my IT Associates and clients!

    Regards,
    Howard.

    Share this post

    Link to post
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
    Go To Topic Listing

    • Recently Browsing   0 members

      No registered users viewing this page.