Sign in to follow this  
Jeff

Amnesia/Amnesia 2

Recommended Posts

Good afternoon,

I have an older server that was infected with what, to my best ID, is Amnesia2.  I was able to use ID Ransomware to point to Amnesia2 from the "note" and an encrypted file.  And from there I saw the links to this site. 

The machine is running Windows Server 2003, and I was not able to run EEK on it, but I was able to run Farbar Recovery Scan Tool on it (and have attached the logs if this can be of help).

The machine is the only one infected and I have closed the RDP port (requested by a software vendor for maintenance) which I believe was how the machine was infected.

While I have used other tools to clean malware from other computers this is my first time dealing with ransom ware and was hoping for some advice/pointers by those more experienced with this particular beast.

Thank you for any advice/assistance you can provide.

 

 

Jeff

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites
4 hours ago, Jeff said:

The machine is the only one infected and I have closed the RDP port (requested by a software vendor for maintenance) which I believe was how the machine was infected.

That's generally how the Amnesia ransomware gets on a computer. Someone brute forces the administrator password via RDP (or abuses some other form of remote access), gains access to the system, manually disables any installed security software, and then manually copies the ransomware to the computer and executes it.

 

4 hours ago, Jeff said:

The machine is running Windows Server 2003, and I was not able to run EEK on it, but I was able to run Farbar Recovery Scan Tool on it (and have attached the logs if this can be of help).

Our products don't run on Windows Server 2003. Microsoft discontinued support for it a few years ago, and we don't recommend using it.

As for the FRST log, there were issues accessing running processes. This usually happens when FRST was run without administrator rights, although that doesn't appear to be the case here, so it's possible that some sort of security software was responsible for that (or perhaps FRST just doesn't work well on Server 2003). There are no signs of an active infection in the logs, however there are odd things in the log (lots of registered drivers without files) that normally I would remove, however due to the age of the OS and some of the errors I am seeing in the log I am not certain that it would be a good idea to do that (the odd things in the log could simply be due to errors when accessing information).

Normally ransomware deletes itself when it is done encrypting files, and done leaving its ransom messages all over the place. Sometimes samples of Amnesia/Amnesia2 can be recovered from infected systems, however even if files are left behind the ransomware doesn't remain configured to run on startup, so there's usually minimal threat of it happening again unless you manually execute the ransomware yourself (or unless the attacker manages to gain access to the system again).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.