Author Topic: Decrypt Amnesia ransomware with Emsisoft’s free decrypter  (Read 150 times)

0 Members and 1 Guest are viewing this topic.

Offline Scarlett

  • Updates Moderator
  • *
  • Posts: 22996
Decrypt Amnesia ransomware with Emsisoft’s free decrypter
« Reply #1 on: May 12, 2017, 06:26:30 PM »
Decrypt Amnesia ransomware with Emsisoft’s free decrypter
6 May 2017, 10:01 pm

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for a new Delphi-based ransomware called “Amnesia”, which began to appear on 26th April 2017.

How the Amnesia ransomware works

The main infection vector of Amnesia appears to be via RDP (remote desktop services) brute force attacks, which allow the malware author to log into the victim’s server and execute the ransomware.

Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. It will also copy itself into the %APPDATA% directory using the file name “guide.exe” and register itself within the “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” key to start automatically during the next boot.

Since Amnesia ransomware does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\Windows, C:\Program Files and various other folders from the encryption operation, so that boot operation and other critical processes are not impacted.

Amnesia encrypts up to the first 1 MB of files using AES-256 encryption in ECB mode. Once the files are locked this way, the malware will append the “.amnesia” extension to them.

How Amnesia ransomware victims are supposed to pay

Amnesia victims are asked to contact the malware author via email to “”.

How to remove Amnesia ransomware encryption using the Emsisoft decrypter

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts.

For infected users that have verified the ransomware type and are just looking for the decrypter, you can download it for free on Emsisoft’s decrypter site.

Have a great (ransomware-free) day!

Related Posts:Remove Cry9 ransomware with Emsisoft’s free decrypterEmsisoft releases free decrypter for CryptON ransomwareRemove Cry128 ransomware with Emsisoft’s free decrypterEmsisoft Releases Free Decrypter for OpenToYou RansomwareEmsisoft Releases Free Decrypter for Globe3 Ransomware

Source: Emsisoft Blog

>> To obtain the full Emsisoft article, click the link in the first post line <<


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2018 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by DSTM & PseFrank

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

Smokey's also provides free fully qualified Log / Malware Analysis & Removal Help and System Health Checks