inerc

Amnesia2 don't decrypt every files

Recommended Posts

Hello,

Thanks for amnesia decrypter, but I was affected by some version of amnesia ransomware where it not works correctly. Some files was decrypted fine, but some spend much more time to decrypting and finish with no key found error.   

Output from https://id-ransomware.malwarehunterteam.com/

Amnesia2
 This ransomware is decryptable!
Identified by

custom_rule: Encrypted size marker [0x00 - 0x08] 0x1E00000000000000
Click here for more information about Amnesia2

 

Note and sample encrypted file which I cant decrypt in attachment.

HOW TO RECOVER ENCRYPTED FILES.TXT

readme.txt.amnesia

Share this post


Link to post
Share on other sites

Text files don't have an inherent format that we can use to verify that a file was decrypted properly. Therefore, the decrypter can't decrypt them. The decrypter can only decrypt files that have fixed headers that can be used to verify that it found the correct key.

Share this post


Link to post
Share on other sites

Ah so, I understand. But there are also binary files thats couldn't be decrypted, some avi, mp4, jpg files for example. It's mean that decrypter could recognize  type of file? from where it know this type, have header database or from file extension?

Share this post


Link to post
Share on other sites

From few kbytes to 2gb, I think so it's not depend on size. I've analyse this and result is that probably 13% of encrypted files couldn't be decrypted. 

Share this post


Link to post
Share on other sites

I also have this idea, but it seems too many files, 150 files from 700 are not decryptable. How amnesia decrypter know which header belongs to decrypting file to compare with?

Share this post


Link to post
Share on other sites

The headers are part of the file. Most files have data at the beginning of the file (which is called a "header") that describes what type of file it is, and the decrypter uses this data to validate that the file was decrypted properly. Any file that doesn't have this data (such as plain text files) will cause an error, as the decrypter won't be able to validate that it was able to decrypt the file.

Share this post


Link to post
Share on other sites

I'd have to ask to be certain, however I think it just checks the header format to make sure it's valid.

Edited by GT500

Share this post


Link to post
Share on other sites

I've been told that we do have our own database of file headers for verification. The decrypter will fail to decrypt files that are not in that database, and it will fail to decrypt files if the file extension does not match what is expected for the file header.

Share this post


Link to post
Share on other sites

Do you have any unencrypted copies of the DB files that we could compare with, to see if they are decrypted properly?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.