Alanr

Amnesia Encryption on Laptop & NAS drive

Recommended Posts

Hello, 

I'm looking for some help. I have a laptop that runs a media server and the files are stored on my wd NAS drive. It would appear 3 days ago my PC was infected. The majority of the files have been renames and now have .amnesia as the extension. Every folder has a text file included showing a process to pay someone in bitcoin to recover my files. I have checked one of the encrypted files on virustotal and it confirmed the file was clean. 

I have tried multiple antivirus programmes and Kaspersky is currently running a full scan. Nothing has been found so far. This has encrypted all files on laptop and on my NAS drive.

I am also running decrypt_amnesia.exe and is currently at 40% (hopefully this will crack it!). 

Any help would be appreciated. Thanks

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

Hi, 

I've done as you've recommended and it's come back as scarab, even though all the file say amnesia. 

Link is here 

Obviously this site says there is nothing I can do, is that the case? Is this normal to encrypt my NAS drive and laptop? Are other devices on my network at risk? (I'm using my MAC now, is that any less likely to get encrypted?)...

All the stuff that's been locked are family photo's (a lot of photos) and backups, is there anything else worth a try? 

Many thanks for your help, it is appreciated.

Share this post


Link to post
Share on other sites

There's a variant of the Scarab ransomware that uses the .amnesia extension.

 

27 minutes ago, Alanr said:

Obviously this site says there is nothing I can do, is that the case?

Correct. Ransomware like this even deletes Volume Shadow Copies, meaning you can't restore files that were backed up by System Restore, and it overwrites existing files with the encrypted copies rather than writing new files with the encrypted data and deleting the old files (so they can't be recovered using file recovery software). In theory it might be possible to recover old Volume Shadow Copies using file recovery software, however this can't be done while Windows is running as you won't have access to write to the "SystemVolumeInformation" folder. Doing this very rarely works, especially since the System Restore doesn't normally make backups of any files you would need to recover after a ransomware infection.

In most cases, the only thing you can do is simply make a backup of encrypted files, and wait until (hopefully) some future point when law enforcement or a security research firm is able to gain access to the criminals' servers and take possession of their database of private keys, at which point someone will be able to make a decryption tool.

 

34 minutes ago, Alanr said:

Is this normal to encrypt my NAS drive and laptop? Are other devices on my network at risk? (I'm using my MAC now, is that any less likely to get encrypted?)...

Almost all ransomwares will encrypt files on any connected drives, and there are many that will also look for files on network shares and encrypt them as well. This is why it is critical to always disconnect backup media from every PC after finishing making backups.

If I'm not mistaken, I would believe that Scarab is often installed by an attacker who gains access via a compromised RDP account (or some other form of remote access), so it is entirely possible that they were able to gain access to other computers on the network as well. Computers running MacOS would not be susceptible to the same ransomware as computers running Windows, however there have been ransomwares for MacOS, so make sure you have a backup of any important files on some sort of removable media that you can leave somewhere safe until you're certain the computer is OK.

Share this post


Link to post
Share on other sites

Thanks for your help. Are people working on a scarab decrypt tool? 

Also, the ransom text file that came with this virus shows a gmail account as the contact info. Isn’t there someone looking to find these people (and accounts) and stop them doing this? Who can I report this to?

thanks again, I’ll start wiping my pc tonight... 

Share this post


Link to post
Share on other sites
On 4/21/2018 at 9:38 AM, Alanr said:

Are people working on a scarab decrypt tool? 

Most analysts/researchers are not. The encryption is considered secure, and if there was a flaw that could have been exploited to facilitate decryption of files then someone would have made a decryption tool within a few weeks of the first reports of infections. While there may be someone doing more extensive vulnerability testing on the ransomware to see if they can find a flaw that was overlooked, please keep in mind that it is very rare for anyone to actually find something during that kind of extended analysis that would lead to decryption of files without obtaining the private key.

 

On 4/21/2018 at 9:38 AM, Alanr said:

Isn’t there someone looking to find these people (and accounts) and stop them doing this? Who can I report this to?

There are always analysts checking on these criminals and cooperating with law enforcement, trying to see if they can track them down. If the criminals were smart, then it can be rather difficult to track them, and sometimes it can take years.

You can report the incident to local law enforcement. It's also possible to report such incidents to the FBI:
https://www.ic3.gov/media/2016/160915.aspx
https://www.ic3.gov/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.