Decrypt Files Encrypted by Amnesia Ransomware (Update May 2017)

This article aims to show you how to fully delete Amnesia ransomware from your computer and decrypt .amnesia and other encrypted files.

A ransomware virus, by the name of Amnesia has been roaming around infecting users and demanding 0.5 BTC to be paid as a ransom to restore the damage done by it. And the damage is not little – Amnesia ransomware aims to attack only the important files on an infected PC to encrypt them and make them no longer openable. Lucky, there is a method to decrypt files encrypted by this virus, thanks to Emsisoft researchers. In case your computer has been infected by Amnesia ransomware, read this article to remove the ransomware threat and restore your files in the event that they have been encrypted.

Threat Summary

Name

Amnesia

TypeRansomware
Short DescriptionEncrypts important files on the compromised computers and then demands a hefty ransom fee to be paid to get the unlock code.

SymptomsThe victim may not be able to open the files. The files may either be completely renamed or have the .amnesia extension added.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Amnesia

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Amnesia.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Amnesia Ransowmare – More Information

Amnesia Virus Variant 1

One of the variants has reportedly used the ransom note, named HOW TO RECOVER ENCRYPTED FILES.TXT and the ransom note had the following message, including a unique victim ID:

YOUR FILES ARE ENCRVPTED!
Vour personal ID: {UNIQUE ID}
Attention! What happened?
Vour documents, databases and other important data has been encrypted.
IF you want to restore Files send an email to: [email protected]
In a letter to indicate your personal identiFier (see in the beginning of this document).
Attention!
Do not attempt to remove the program or run the anti-virus tools.
attempts to self-decrypting files will result in the loss of your data.
Decoders are not compatible with other users of your data, because each user’s unique encryption key.

The extension of encrypted files that this ransomware variant was reported to use are .amnesia. After encryption, the files appear like the following:

Amnesia Virus Variant 2

The second iteration of Amnesia ransomware came with several different changes. Some of those changes were in the ransom note file used by the virus, which demands the sum of 0.5 BTC to buy the decryptor in an .HTML file, named RECOVER-FILES.HTML. It has the following message to victims:

Your files are Encrypted!
For data recovery needs decryptor.
To buy the decryptor, you must pay the cost of 0.5 Bitcoin
[Buy Decryptor] button
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this form:

The most radical changes of this Amnesia ransomware variant were in the files. The ransomware completely renames files to a number, after which a randomly generated name and then a two digit file extension, for example .05. An encrypted file by this variant of Amnesia ransomware would look like the following:

Thankfully, it is now possible to decrypt files that have been encrypted by Amnesia ransomware, and all that it takes is one original file and it’s encrypted analogue to restore all of the files for free. But first, you need to remove the ransomware from your computer. To remove Amnesia ransomware and then decrypt your files, please follow the instructions below.

Amnesia Ransomware – Removal

First, before begging to decrypt your files, it is very important to try and remove the virus. One method to do it is if you follow the manual decryption instructions below. However, bear in mind that experts strongly advise using and advanced anti-malware software to remove everything associated with Amnesiapermanently.

Manually delete Amnesia from your computer

Note! Substantial notification about the Amnesia threat: Manual removal of Amnesia requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Amnesia files and objects
2.Find malicious files created by Amnesia on your PC

Automatically remove Amnesia by downloading an advanced anti-malware program

1. Remove Amnesia with SpyHunter Anti-Malware Tool and back up your data

Amnesia Ransomware – Decryption Instructions

After having removed the Amnesia threat from your computer, you should follow these instructions to get your files back:

Step 1: Download Amnesia Decryptor by Emsisoft from this web page and save it on your computer.

Step 2: Copy the following files into a new folder:

  • decrypt_Amnesia.exe
  • One encrypted picture.
  • The decrypted variant of the encrypted picture.

In case you do not have any original variants of encrypted pictures, please, make sure to use the default Windows pictures from another Windows PC. They are usually located in:

For newer Windows (8, 8.1, 10):
C:\Windows\Web\Wallpaper
For Windows 7 and earlier:
C:\Users\Public\Pictures
C:\Users\{Username}\Pictures

Step 2: Drag an encrypted and original files on the Amnesia decrypter, just like the GIF below demonstrates:

Amnesia-decrypt-gif-sensorstechforum-ransowmare-com

Step 3: After the files are dropped, you should see a pop-up similar to the following:

2-decryption-key-found-Amnesia-sensorstechforum

Press OK to continue.

Step 4: After this, the primary interface of the decryptor will show:

Amnesia-ransomware-decrypt-sensorstechforum

From there choose the folders you wish to decrypt and click on the Decrypt button.

After decryption, the files should be saved in the same location where they were initially encrypted. You also have the option to choose whether to keep or discard the encrypted version of the files.

Amnesia Ransomware – What to Do After Decryption

In case you have been attacked by Amnesia ransomware, you are a lucky individual. But bear in mind that it is never too late to implement the necessary protection precautions and learn how to safely store your data and protect it from ransomware and other malware in the future.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.