Alanr

Amnesia Encryption on Laptop & NAS drive

Recommended Posts

Hello, 

I'm looking for some help. I have a laptop that runs a media server and the files are stored on my wd NAS drive. It would appear 3 days ago my PC was infected. The majority of the files have been renames and now have .amnesia as the extension. Every folder has a text file included showing a process to pay someone in bitcoin to recover my files. I have checked one of the encrypted files on virustotal and it confirmed the file was clean. 

I have tried multiple antivirus programmes and Kaspersky is currently running a full scan. Nothing has been found so far. This has encrypted all files on laptop and on my NAS drive.

I am also running decrypt_amnesia.exe and is currently at 40% (hopefully this will crack it!). 

Any help would be appreciated. Thanks

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

Hi, 

I've done as you've recommended and it's come back as scarab, even though all the file say amnesia. 

Link is here 

Obviously this site says there is nothing I can do, is that the case? Is this normal to encrypt my NAS drive and laptop? Are other devices on my network at risk? (I'm using my MAC now, is that any less likely to get encrypted?)...

All the stuff that's been locked are family photo's (a lot of photos) and backups, is there anything else worth a try? 

Many thanks for your help, it is appreciated.

Share this post


Link to post
Share on other sites

There's a variant of the Scarab ransomware that uses the .amnesia extension.

 

27 minutes ago, Alanr said:

Obviously this site says there is nothing I can do, is that the case?

Correct. Ransomware like this even deletes Volume Shadow Copies, meaning you can't restore files that were backed up by System Restore, and it overwrites existing files with the encrypted copies rather than writing new files with the encrypted data and deleting the old files (so they can't be recovered using file recovery software). In theory it might be possible to recover old Volume Shadow Copies using file recovery software, however this can't be done while Windows is running as you won't have access to write to the "SystemVolumeInformation" folder. Doing this very rarely works, especially since the System Restore doesn't normally make backups of any files you would need to recover after a ransomware infection.

In most cases, the only thing you can do is simply make a backup of encrypted files, and wait until (hopefully) some future point when law enforcement or a security research firm is able to gain access to the criminals' servers and take possession of their database of private keys, at which point someone will be able to make a decryption tool.

 

34 minutes ago, Alanr said:

Is this normal to encrypt my NAS drive and laptop? Are other devices on my network at risk? (I'm using my MAC now, is that any less likely to get encrypted?)...

Almost all ransomwares will encrypt files on any connected drives, and there are many that will also look for files on network shares and encrypt them as well. This is why it is critical to always disconnect backup media from every PC after finishing making backups.

If I'm not mistaken, I would believe that Scarab is often installed by an attacker who gains access via a compromised RDP account (or some other form of remote access), so it is entirely possible that they were able to gain access to other computers on the network as well. Computers running MacOS would not be susceptible to the same ransomware as computers running Windows, however there have been ransomwares for MacOS, so make sure you have a backup of any important files on some sort of removable media that you can leave somewhere safe until you're certain the computer is OK.

Share this post


Link to post
Share on other sites

Thanks for your help. Are people working on a scarab decrypt tool? 

Also, the ransom text file that came with this virus shows a gmail account as the contact info. Isn’t there someone looking to find these people (and accounts) and stop them doing this? Who can I report this to?

thanks again, I’ll start wiping my pc tonight... 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.