3AVIT

Amnesia-Scarab Ransomware Infection - All Decryption Attempts Have Failed So Far

Recommended Posts

Hello - 

I have a machine that I am in some serious need for help with.  A cryptovirus identifying itself as Amnesia has encrypted most filetypes on the machine and a backup drive that was left attached to the machine.

The decrypt_Amnesia2 tool was run against the machine and the backup drive first - with no effect.

I have run the decrypt_Amnesia tool against probably about ten different identical files (ranging in file size from 1KB to 80KB) - also with no effect.

As per the requirements for assistance in the forum, I have run and attached the EmsisoftEmergencyKit and the FRST64 logs.

I have also run the Virus Total Can against an encrypted file hoping it would yield some identification - but it did not.  I am unable to find the guide.exe file anywhere on the machine - so I am really not sure what exe was called in order to encrypt all the files - much less to scan it with VirusTotal. (Results are still attached)

ID Ransomware (uploading both the ransom note and an encrypted file) identified the ransomware as 'Scarab'; however, the file extensions are all .amnesia. (Results still attached)

Any help that you guys can provide would be greatly appreciated.  I can certainly send some of the encrypted and unencrypted duplicates if it helps; however, I did not want to just attach them to this post unless instructed to do so.

Thank you all very much for being willing to lend a hand to all of us that are struggling.

--- T

Addition.txt

FRST.txt

scan_180412-112754.txt

IDRansomwareResults.txt

VirusTotalScan.txt

Share this post


Link to post
Share on other sites

After researching a little more about the relationship between Amnesia and Scarab, I now realize that people were posting on this forum starting around February of this year with (probably) the exact flavor of Scarab-Amnesia that I am dealing with.  I also see that, currently, there is no known utility to decrypt the files.  *HeadHitsKeyboard*

A backup of the all encrypted files has now been made.  The shadow files were deleted - I will be working on trying to see if I can recover any of them in case they were not deleted securely.

Please chime in if there are any further suggestions and/or new bits of information regarding this nasty little creature.

Thanks again.

--- T

Share this post


Link to post
Share on other sites
10 hours ago, 3AVIT said:

Please chime in if there are any further suggestions and/or new bits of information regarding this nasty little creature.

I haven't heard anything new about it thus far. The encryption method still seems to be secure, and no one has (to my knowledge) come up with a way to recover files without getting the private key from the criminals who made the ransomware.

If you want to keep an eye out for news about this ransomware, then BleepingComputer will usually report on new decryption tools and new ransomware:
https://www.bleepingcomputer.com/

Share this post


Link to post
Share on other sites
1 hour ago, 3AVIT said:

Is anyone aware of a decryption tool for this yet?

I haven't heard anything new about any Amnesia variants in a while. To my knowledge there is still no way to decrypt files that have been encrypted by this ransomware without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites

It seems some of our messages from yesterday are gone after the message about the failure on the forum. I restore the content that remains in the my mail so that the meaning of the conversation is clear. 

I wrote...

I can supplement the information, as I observe the development of this Ransomware-project from the very beginning and from from previous versions.

If your files were encrypted with the original Amnesia or Amnesia-2 Ransomware, then they can be decrypted with free Emsisoft tools.

If your files were encrypted with the Scarab-Amnesia Ransomware before June 18-19, 2018, they can be decrypted. 

[I gave this 'Scarab-Amnesia' name to this ransomware, but other sites can borrow it for their own purposes, forgetting to make references to the original source.] ;)

But, to our regret, there is no free decryptor, there is only a decryption method that DrWeb offers - a free test-check and the subsequent payment of  150 euro for a Rescue Package with a personalized decryption, which does not work for other victims.

Later versions cannot be decrypted in the same way, since the version of the criminal encoder has been updated and the encryption method has changed. If you view the encrypted file using Notepad, then at the end you will see a code that is different from earlier versions.

------------------------

3AVIT replied...

Thanks Amigo.  All of your work into this ransomware is much appreciated.

I am already down the path - talking with Emmanuel and seeing if DrWeb will work for us.

Again - much appreciated.

I will keep everyone in the loop.

------------------------

I replied...

I hope for a good result together with you. :)

Share this post


Link to post
Share on other sites

Hmmm.  Well - it wasn't me.  Maybe I accidentally violated an Emsisoft Forum policy inadvertently?

DECRYPTION TESTS WERE SUCCESSFUL!!!

If anyone is reading this into the future, I would say that you should heed GT500's advice to check out Bleeping Computer - and reach out to Amigo-A because he understands the product that decrypted for me.  The advice on this forum started me on the path to a solution.

I can't thank everyone here enough!

  • Upvote 1

Share this post


Link to post
Share on other sites
7 hours ago, 3AVIT said:

Hmmm.  Well - it wasn't me.  Maybe I accidentally violated an Emsisoft Forum policy inadvertently?

No, it was due to a database issue that required us to restore a backup to get it online again:

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.