3AVIT

Amnesia-Scarab Ransomware Infection - All Decryption Attempts Have Failed So Far

Recommended Posts

Hello - 

I have a machine that I am in some serious need for help with.  A cryptovirus identifying itself as Amnesia has encrypted most filetypes on the machine and a backup drive that was left attached to the machine.

The decrypt_Amnesia2 tool was run against the machine and the backup drive first - with no effect.

I have run the decrypt_Amnesia tool against probably about ten different identical files (ranging in file size from 1KB to 80KB) - also with no effect.

As per the requirements for assistance in the forum, I have run and attached the EmsisoftEmergencyKit and the FRST64 logs.

I have also run the Virus Total Can against an encrypted file hoping it would yield some identification - but it did not.  I am unable to find the guide.exe file anywhere on the machine - so I am really not sure what exe was called in order to encrypt all the files - much less to scan it with VirusTotal. (Results are still attached)

ID Ransomware (uploading both the ransom note and an encrypted file) identified the ransomware as 'Scarab'; however, the file extensions are all .amnesia. (Results still attached)

Any help that you guys can provide would be greatly appreciated.  I can certainly send some of the encrypted and unencrypted duplicates if it helps; however, I did not want to just attach them to this post unless instructed to do so.

Thank you all very much for being willing to lend a hand to all of us that are struggling.

--- T

Addition.txt

FRST.txt

scan_180412-112754.txt

IDRansomwareResults.txt

VirusTotalScan.txt

Share this post


Link to post
Share on other sites

After researching a little more about the relationship between Amnesia and Scarab, I now realize that people were posting on this forum starting around February of this year with (probably) the exact flavor of Scarab-Amnesia that I am dealing with.  I also see that, currently, there is no known utility to decrypt the files.  *HeadHitsKeyboard*

A backup of the all encrypted files has now been made.  The shadow files were deleted - I will be working on trying to see if I can recover any of them in case they were not deleted securely.

Please chime in if there are any further suggestions and/or new bits of information regarding this nasty little creature.

Thanks again.

--- T

Share this post


Link to post
Share on other sites
10 hours ago, 3AVIT said:

Please chime in if there are any further suggestions and/or new bits of information regarding this nasty little creature.

I haven't heard anything new about it thus far. The encryption method still seems to be secure, and no one has (to my knowledge) come up with a way to recover files without getting the private key from the criminals who made the ransomware.

If you want to keep an eye out for news about this ransomware, then BleepingComputer will usually report on new decryption tools and new ransomware:
https://www.bleepingcomputer.com/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.