Amnesia is one of the latest ransomwares that happened to take the world by storm in the year 2017. The ransomware, created using the Delphi language, encrypted and infected files on countless computers throughout the world and was essentially spread in the form of email attachments.
How does Amnesia Work?
Much like any other ransomware or the majority of malware that have made their way into the digital realm, the Amnesia ransomware makes use of an encryption algorithm. What this encryption algorithm essentially does is that it changes the data of the files to a form in which it is no longer readable.
Even though several people complained about their files becoming encrypted by the Amnesia ransomware, there have been inconsistencies in the reports of people who claim how much data was encrypted by the ransomware. These inconsistencies were seen on multiple forums where the ransomware was being discussed. Users pointed out the difference in the sizes of the original and encrypted versions through which the assumptions about the percentage or amount of data that was being encrypted were being made.
How Can You be Sure that Your Files were Encrypted by the Amnesia Ransomware?
If you find any files in your system that end with extensions “.amnesia”, then it goes without saying that you can be certain that this is the doing of the Amnesia ransomware. But that’s not the only extension that the ransomware uses. In fact, there are quite a number of different extensions that are given by the malicious software to files that have become encrypted. These extensions include: “.01”, “.02”, “.am”, “onion”, “.TRMT”, “.LOGOZ”, “.[black.mirror@qq.com].oled”, “.@decrypt_files2017”, “.SON”, “.[Help244@Ya.RU].LOCKED”, “.@decrypt2017”, and “.CRYPTBOSS”.
But that’s not all.
Once the ransomware has successfully managed to encrypt certain files, it also creates a .txt file in every folder that contains these encrypted files titled “HOW TO RECOVER ENCRYPTED FILES.TXT”. Upon opening this file, you will see the following message:
“============================================
YOUR FILES ARE ENCRYPTED!
Your personal ID: –
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
IN a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypt files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user’s unique encryption key.
============================================”
For assistance with file recovery and ransomware removal, please contact MonsterCloud – cyber security experts for a professional ransomware removal.
