Jump to content

Infected with Amnesia2 Ransomware, and decrypt tool will not load

HowardM
 Share Followers 0

Recommended Posts

HowardM

HowardM 0

Posted
Posted

I have gone to id-ransomware.malwarehunterteam.com and identified that the computer (a Windows Server 2003 Small Business Server) is infected with the Amnesia2 Ransomware.

I have downloaded your Amnesia2 decryption tool; however, when I double click the executable ... the license terms window briefly flashes on the screen, the computer beeps, and the license terms screen is gone and there is nothing for me to click on or do.  I have tried this several times with the same results.  Including, I have rebooted the server and tried it, with the same results.

Please help me get your decryption tool to work on this machine.

 

Thank you,
Howard

Link to post
Share on other sites
Fabian Wosar

Fabian Wosar 390

Posted
Posted

Your system is probably still infected by malware. Some ransomware families added some "anti-decrypter" functionality and try to kill our decrypters in a futile attempt to prevent their victims from getting back their files. I suggest to follow the steps outlined here:

https://support.emsisoft.com/announcement/2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

EEK will not run on Windows 2003. So you can skip that step. After the system was cleaned from the infections, the decrypter should work as expected.

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

I did check the thread you linked, and read it several times before replying the last time.  The first step of the Let's get started" was to run the EEK tool; so I wasn't sure, since that was the first step, if it meant I should or could continue on to the next 2 steps.  I am assuming by your reply that you want me to run the other tool and upload the log files to this thread.

Thank you for your help,
Howard.

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Fabian,

After my most recent post (uploading the log files from the FRST), I noticed your post about creating a new thread.  I'm not sure I understand why you want me to create a new thread? ... The problem I am having is decrypting the ransomware.

Link to post
Share on other sites
Fabian Wosar

Fabian Wosar 390

Posted
Posted

I don't deal with malware removal. We have a dedicated team for that. The reason why those are treated in a different section of a forum is that for privacy reasons we apply stronger restrictions when it comes to downloading files there. These logs can contain a lot of private information, so having them in less restricted areas of the forum is a bad idea.

In either case, I have split out your logs into a dedicated thread so one of the malware removal guys can take care of it. You can find the topic here:

 

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Hi Fabian,

I went through several steps as per Sarah's instructions, and the Amnesia2 decrypter program goes further and gets to the main screen, but still closes and will not run.  It's been over an hour since her last reply.  Can I expect to hear from someone soon?

Thank you,
Howard.

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Hi Fabian,

Thank you for the update.  I am very appreciative for all the help, and do completely understand.  I just wasn't sure what happened, because Sarah and I were messaging back and forth (minutes apart) and then I didn't hear back.  I am of course anxious to get this issue resolved, but again I am so appreciative for yours and Sarah's help, and hopeful that your Amnesia2 decrypter will run successfully, once we can get passed whatever is stopping it from running.

Thank you again,
Howard.

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Hi Fabian,

Thanks again for your help the other day, and remotely logging into the server via TeamViewer.  As per your suggestion, I did run the Decrypter from one of the workstations.

The Amnesia2 Decrypter has been running for several days (and is still running).  On a happy note, several of the critical data files in the company's main program have successfully been decrypted.  There is a specific data file, called PO.dat, that was either some how skipped or was unsuccessful.  I have tried to copy the "PO.dat.amnesia" file to another directory and run the decrypter from another workstation on the network, and the following happens:  I am able to open the decrypter program on the workstation, select the new folder with just that file in it, and when I click "Decrypt" on the Amnesia2 Decrypter program it almost immediately comes back "Finished!" in the results window without anything else being displayed (no file names or anything else) in the log.  And then when I go to that folder, the file name is still "PO.dat.amnesia" with no new file.

Any suggestions or ideas of why it appears that the decrypter is not evening trying to decrypt this file (PO.DAT.amnesia)?  ... I should also mention that as a test, I also copied a file (HISTORY.DAT.amnesia) that had already successfully been decrypted, into the same new directory and ran the decrypter from this same workstation on that same folder ... and the decrypter showed that it was working on decrypting the "HISTORY.DAT" file in the results screen.

Regards,
Howard.

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Hi Fabian,

I'm just following up on my previous post, realizing it was over the weekend.  I'm just hoping to get some guidance some time Monday morning.  As mentioned in my previous post, the PO.DAT file (currently PO.DAT.amnesia), is one of the last critical data files we are hoping to get decrypted.  By the way, The Amnesia2 decrypter is still running, so my client is still partially down (been down since the the ransomware attach on 6/28/17).  I was able to get them partially back up and running at the end of this past week with some of the data already decrypted; however, this PO.DAT file is critical to their business operation at the moment.  Really hoping to get your (your company's) assistance with this particular file.

We are so grateful for all your help already, and thank you again for looking into what we hope to be the last piece to assisting us in getting the system back to a state in which we can then continue on the road to getting back to full functionality.

Thank you,
Howard.

 

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Hi Fabian,

The file PO.DAT, that we are trying to decrypt, holds purchase order data as you might assume by the name (PO.DAT).  It is one of many data files for an old version (ver 6.51c) of a Point of Sale software called Retail Pro.  I believe that this old version of the actual Retail Pro program was written in Turbo Pascal.

I'm not sure if this will also help you at all, but there is also an "Archived Purchase Order" file that Retail Pro has, which did successfully decrypt.  For your reference I have attached both the encrypted version of the archived PO file (POA.DAT.amnesia) and the decrypted version of the file (POA.DAT).

Regards,
Howard.

POA.DAT

POA.DAT.amnesia

Link to post
Share on other sites
HowardM

HowardM 0

Posted
  • Author
Posted

Hi Fabian,

You were 100% right ... I renamed the PO.DAT.amnesia file to PO.DAT and it worked perfectly in the program.

Can't thank you enough for all your help.  You and your company have been incredible through out this entire process.  I will be recommending the Emsisoft company to all my IT Associates and clients!

Regards,
Howard.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 0
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 01/28/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...