Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amnesia Ransomware (.amnesia - HOW TO RECOVER ENCRYPTED FILES.TXT) Support Topic


  • Please log in to reply
180 replies to this topic

#1 paradoxewan

paradoxewan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 01 May 2017 - 02:30 PM

Hi there, have a system at work that has picked up a ransomware app that has encrypted flies with .amnesia extension.
 
Anyone seen this before. There is a note "HOW TO RECOVER ENCRYPTED FILES.TXT" in every folder that has been hit.
 
No luck identifying with the online tool, can anyone help?
 
Contents of ransom demand follow - 
 
=========================================================================================================
YOUR FILES ARE ENCRYPTED!
 
Your personal ID:
2236824251800978532844273155679088173291492556708454679904594955217757978097060664865293191730776684
8173326025990915083256420477331530566318467087743933956497275722260588764607000823125361599913819891
5064466465329562747182836177368936747110717045900845767150070275914189353251315826627864438434611644
6105150356786293206898879008417447897209962908880073603423391660443248626558693631928277759289119500
1043826041088986110416860052298202274754107666329195437788831235479224515708822825134646474778827532
3771750207434293060381520223261352734914686890271229757154773783782258393368249169655632750552447832
1850964000979805472
 
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
 
 
Attention!
 * Do not attempt to remove the program or run the anti-virus tools. 
 * Attempts to self-decrypting files will result in the loss of your data. 
 * Decoders are not compatible with other users of your data, because each user's unique encryption key.
 
=========================================================================================================

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 AM

Posted 01 May 2017 - 02:37 PM

ID Ransomware gave you the result of Globe3, which is correct based on the ransom note filename and its contents. Give the Globe3 decrypter a try. You'll need a encrypted file and its original over 64KB; they will be the same filesize.

 

https://decrypter.emsisoft.com/globe3

 

Amnesia is a different strain simliar to Globe3 that is still decryptable: https://decrypter.emsisoft.com/amnesia


Edited by Demonslay335, 06 May 2017 - 04:46 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 paradoxewan

paradoxewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 01 May 2017 - 02:38 PM

yup, i got the same, but no luck with the Globe3 decrypter



#4 paradoxewan

paradoxewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 01 May 2017 - 02:52 PM

I have uploaded an encrypted file, original and the note for you guys to have a look at if you have the time :)

 

Thanks

 

Ewan



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 AM

Posted 01 May 2017 - 03:24 PM

Are you sure that's the original of that encrypted files? The filesize is way off, and they definitely were not the same file. You'll see 64KB of the file is encrypted, and the rest is left alone. The bytes after that point should match with the original. I don't even see the same strings between the files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 paradoxewan

paradoxewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 01 May 2017 - 03:42 PM

Have put on dropbox, https://www.dropbox.com/s/3zsnxg4n66qpg82/Archive.zip?dl=0 should be two 16.1mb files contained within zip. Not sure what happened with the web-upload form.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 AM

Posted 01 May 2017 - 04:15 PM

The files need to be greater than 64KB. The files you shared are only 15MB.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 paradoxewan

paradoxewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 01 May 2017 - 04:40 PM

each file is 16.1MB = 16100kb ???

 

16100kb > 64kb

 

or am i missing something here?



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 AM

Posted 01 May 2017 - 05:29 PM

Sorry, I read the numbers incorrectly in my hex editor.  :whistle:

 

xXToffeeXx has found a sample of the malware, and we've confirm it isn't Globe. We'll have to analyze it to see what it is and if it is decryptable.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 paradoxewan

paradoxewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 01 May 2017 - 05:33 PM

ok, thats brilliant. I really appreciate the help. I'll try and pin down the source and see if we can get the payload that delivered it. Seems to have hit open shares on the server from another machine so just trying to pin it down at the moment.

 

Really hope you can help identify and possibly offer some advice on decryption.

 

Thanks again for your time, much appreciated



#11 ComputerAngel

ComputerAngel

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 May 2017 - 10:09 AM

Hi all,

I also had 4 serves encrypted with .amnesia and one both with Amnesia and .k33p. The .k33p files were successfully decrypted using https://decrypter.emsisoft.com/ Decrypt_Globe2 using a file larger than 65kb (the 1 KB text file did not work). Note. If you cannot find any original files you can use a data recovery toll to scan the whitespace for any deleted files and restore it from there.I also managed to restore some genuine good files from whitespace. EaseUS Data Recovery is very good and worth the money. some free tolls might be available also.

 

At the moment I am struggling to decrypt the .amnesia files.

 

Please let me know if you wish me to submit any samples.

 

Note.

The invecrion originated via a dropbox invite.

A trojan was found on one of te servers called guide.exe. - https://www.virustotal.com/en/file/7e74ecfe0f9389fbfd037ae0eedbbfd9502600490977866850f90146eecad549/analysis/1493668298/

 

Also an empty folder in the downloads folder called Locker.

 

Regards


Edited by ComputerAngel, 03 May 2017 - 06:23 AM.


#12 paradoxewan

paradoxewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 03 May 2017 - 06:05 AM

There is a strange comfort in knowing that you are not the only person dealing with this!



#13 brener

brener

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 03 May 2017 - 07:59 AM

We got the same problem on April 26th. ID Ransomware gave me also the result of Globe3, and can`t remove it...


Edited by brener, 03 May 2017 - 08:00 AM.


#14 ComputerAngel

ComputerAngel

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 May 2017 - 08:21 AM

Hi All,

Malware bytes will remove it. I found a virus called giude.exe. 

Still no decrypt options.

 

I have an older backup of the C Drive of the folder and have plenty of encrypted / Cleaned files to compare.

It looks like the encrypted file has an extra 32 bytes.



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 AM

Posted 03 May 2017 - 08:23 AM

It does appear this ransomware is heavily spoofing Globe3. Until more info is available from analysis, there may be some false-positives on ID Ransomware I'm afraid, as I don't know how to easily discern them other than just the extension for now.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users