.Am Files Virus (Amnesia 2) Ransomware - Remove + Restore Files

.AM Files Virus (Amnesia 2) Ransomware – Remove + Decrypt Files

This article aims to assist you in showing how to remove the newly discovered variant of Amnesia ransomware virus’s second variant and how to restore files encrypted by it, that have the .am file extension added to them.

The second variant of the previously detected Amnesia ransomware has been detected to perform various malicious activities on users’ computers. The malware has been reported to use sophisticated encryption in order to render the files on the computers that have been infected by it to no longer being able to be opened state. After doing so, the Amnesia 2 ransomware leaves behind the files of victims encrypted with an added .am file extension after their original names. In addition to this, the ransomware may drop a ransom note, which aims to extort victims into paying a hefty ransom fee in order to get the encrypted files decoded and working again. In the event that your computer has been infected by the .am extension variant of Amnesia ransomware, we recommend that you read the following article and learn how to remove Amnesia 2 and how to restore .am encrypted files.

Threat Summary

NameAmnesia 2
TypeRansomware, Cryptovirus
Short DescriptionNew variant of Amnesia ransomware. Encrypt the files on the infected computer and asks for a ransom to be paid in order to decrypt them and get them to work again.
SymptomsThe virus encrypts the files on the computers which it infects successfully and then drops a ransom note plus leaves the files with the .am file extension after encryption is complete.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Amnesia 2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Amnesia 2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Amnesia 2 Ransomware – How Does It Infect

The primary infection file which has been detected to be associated with this variant of Amnesia ransomware virus has been reported to be the following at VirusTotal.com:

The file may be dropped from another infection web link or file attachment which may be sent to you via e-mail. Such e-mail messages often pretend that they are completely legitimate and come from reputable companies from the likes of FedEx, DHL, PayPal, eBay and others. The e-mail messages themselves are also quite convincing, such as claiming that you have made an online purchase and must see your receipt (which is the malicious attachment) or that there is a suspicious activity on your bank account and you must click on the link they have provided for more info. If you encounter such e-mails, recommendations are to immediately check whether their content is malicious or not using services such as VirusTotal or ZipeZip.

Amnesia 2 Ransomware – More Information

When the virus was discovered in it’s first variant back in May of 2017, Amnesia had two main sub-variants of it’s first variant.

Amnesia 1.0

The very first variant of the amnesia ransomware used a ransom note, which was named HOW TO RECOVER ENCRYPTED FILES.TXT and this note included the following extortion message:

Vour personal ID: {UNIQUE ID}
Attention! What happened?
Vour documents, databases and other important data has been encrypted.
IF you want to restore Files send an email to: [email protected]
In a letter to indicate your personal identiFier (see in the beginning of this document).
Do not attempt to remove the program or run the anti-virus tools.
attempts to self-decrypting files will result in the loss of your data.
Decoders are not compatible with other users of your data, because each user’s unique encryption key.

The variant used the traditional for the virus .amnesia file extension and the files begun appearing like the following after encryption by Amnesia 1.0:

Amnesia 1.1

The second iteration of the first variant of Amnesia ransowmare had some major changes in it, starting with the ransom note demanding the exact sum of 0.5 BTC in order to purchase a decrypter for your encoded files. The ransom note had other changes in it as well, like the RECOVER-FILES.HTML name and the new contents in it:

Your files are Encrypted!
For data recovery needs decryptor.
To buy the decryptor, you must pay the cost of 0.5 Bitcoin
[Buy Decryptor] button
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this form:

The biggest change out of all the changes happening to this virus is the fact that it renames the file completely and adds a file extension that is completely random number, for instance .03. Files encrypted by this version of Amnesia looked somewhat like the following:

Amnesia 2 (Newest Variant)

The latest variant of amnesia which, also detected by malware researcher Michael Gillespie was reported to be a bit of a buggy variant and it still renames the files of the infected computers similar to the 1.1 variant of the virus, however this time, the malware adds the .am file extension to them. After encryption with this variant of Amnesia, your files will look similar to the image below:

In addition to this, the virus also leaves behind an ENCRYPTED FILES.TXT file which contains unique keys of each encrypted file.

Thankfully, it is good to know that all the Amnesia viruses that have been detected so far are decryptable and you must not pay any form of ransom in order to decrypt them. Simply follow the instructions in the removal below in order to learn how you can use the Emsisoft Decrypter in order to decode your encoded files without paying any ransom, after removing the virus.

Amnesia 2 Ransomware – Removal

Before getting down to the decryption of your files, it is important to remove Amnesia 2 ransomware virus safely from your computer. You can do this either manually or automatically, preferably by following the removal instructions down below. They are specifically designed in order to help you delete the malicious files of this virus from your computer without damaging the encrypted files. For maximum effectiveness, malware removal experts strongly recommend to use an advanced anti-malware software which will help remove Amnesia 2 .am variant automatically from your computer.

Manually delete Amnesia 2 from your computer

Note! Substantial notification about the Amnesia 2 threat: Manual removal of Amnesia 2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Amnesia 2 files and objects
2.Find malicious files created by Amnesia 2 on your PC

Automatically remove Amnesia 2 by downloading an advanced anti-malware program

1. Remove Amnesia 2 with SpyHunter Anti-Malware Tool and back up your data

Amnesia Ransomware – Decryption Instructions

After having removed the Amnesia threat from your computer, you should follow these instructions to get your files back:

Step 1: Download Amnesia Decryptor by Emsisoft from this web page and save it on your computer.

Step 2: Copy the following files into a new folder:

  • decrypt_Amnesia.exe
  • One encrypted picture.
  • The decrypted variant of the encrypted picture.

In case you do not have any original variants of encrypted pictures, please, make sure to use the default Windows pictures from another Windows PC. They are usually located in:

For newer Windows (8, 8.1, 10):
For Windows 7 and earlier:

Step 2: Drag an encrypted and original files on the Amnesia decrypter, just like the GIF below demonstrates:


Step 3: After the files are dropped, you should see a pop-up similar to the following:


Press OK to continue.

Step 4: After this, the primary interface of the decryptor will show:


From there choose the folders you wish to decrypt and click on the Decrypt button.

After decryption, the files should be saved in the same location where they were initially encrypted. You also have the option to choose whether to keep or discard the encrypted version of the files.

Amnesia Ransomware – What to Do After Decryption

In case you have been attacked by Amnesia ransomware, you are a lucky individual. But bear in mind that it is never too late to implement the necessary protection precautions and learn how to safely store your data and protect it from ransomware and other malware in the future.

Vencislav Krustev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share