.Am Files Virus (Amnesia 2) Ransomware - Remove + Restore Files

.AM Files Virus (Amnesia 2) Ransomware – Remove + Decrypt Files

This article aims to assist you in showing how to remove the newly discovered variant of Amnesia ransomware virus’s second variant and how to restore files encrypted by it, that have the .am file extension added to them.

The second variant of the previously detected Amnesia ransomware has been detected to perform various malicious activities on users’ computers. The malware has been reported to use sophisticated encryption in order to render the files on the computers that have been infected by it to no longer being able to be opened state. After doing so, the Amnesia 2 ransomware leaves behind the files of victims encrypted with an added .am file extension after their original names. In addition to this, the ransomware may drop a ransom note, which aims to extort victims into paying a hefty ransom fee in order to get the encrypted files decoded and working again. In the event that your computer has been infected by the .am extension variant of Amnesia ransomware, we recommend that you read the following article and learn how to remove Amnesia 2 and how to restore .am encrypted files.

Threat Summary

NameAmnesia 2
TypeRansomware, Cryptovirus
Short DescriptionNew variant of Amnesia ransomware. Encrypt the files on the infected computer and asks for a ransom to be paid in order to decrypt them and get them to work again.
SymptomsThe virus encrypts the files on the computers which it infects successfully and then drops a ransom note plus leaves the files with the .am file extension after encryption is complete.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Amnesia 2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Amnesia 2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Amnesia 2 Ransomware – How Does It Infect

The primary infection file which has been detected to be associated with this variant of Amnesia ransomware virus has been reported to be the following at VirusTotal.com:

The file may be dropped from another infection web link or file attachment which may be sent to you via e-mail. Such e-mail messages often pretend that they are completely legitimate and come from reputable companies from the likes of FedEx, DHL, PayPal, eBay and others. The e-mail messages themselves are also quite convincing, such as claiming that you have made an online purchase and must see your receipt (which is the malicious attachment) or that there is a suspicious activity on your bank account and you must click on the link they have provided for more info. If you encounter such e-mails, recommendations are to immediately check whether their content is malicious or not using services such as VirusTotal or ZipeZip.

Amnesia 2 Ransomware – More Information

When the virus was discovered in it’s first variant back in May of 2017, Amnesia had two main sub-variants of it’s first variant.

Amnesia 1.0

The very first variant of the amnesia ransomware used a ransom note, which was named HOW TO RECOVER ENCRYPTED FILES.TXT and this note included the following extortion message:

Vour personal ID: {UNIQUE ID}
Attention! What happened?
Vour documents, databases and other important data has been encrypted.
IF you want to restore Files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identiFier (see in the beginning of this document).
Do not attempt to remove the program or run the anti-virus tools.
attempts to self-decrypting files will result in the loss of your data.
Decoders are not compatible with other users of your data, because each user’s unique encryption key.

The variant used the traditional for the virus .amnesia file extension and the files begun appearing like the following after encryption by Amnesia 1.0:

Amnesia 1.1

The second iteration of the first variant of Amnesia ransowmare had some major changes in it, starting with the ransom note demanding the exact sum of 0.5 BTC in order to purchase a decrypter for your encoded files. The ransom note had other changes in it as well, like the RECOVER-FILES.HTML name and the new contents in it:

Your files are Encrypted!
For data recovery needs decryptor.
To buy the decryptor, you must pay the cost of 0.5 Bitcoin
[Buy Decryptor] button
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this form:

The biggest change out of all the changes happening to this virus is the fact that it renames the file completely and adds a file extension that is completely random number, for instance .03. Files encrypted by this version of Amnesia looked somewhat like the following:

Amnesia 2 (Newest Variant)

The latest variant of amnesia which, also detected by malware researcher Michael Gillespie was reported to be a bit of a buggy variant and it still renames the files of the infected computers similar to the 1.1 variant of the virus, however this time, the malware adds the .am file extension to them. After encryption with this variant of Amnesia, your files will look similar to the image below:

In addition to this, the virus also leaves behind an ENCRYPTED FILES.TXT file which contains unique keys of each encrypted file.

Thankfully, it is good to know that all the Amnesia viruses that have been detected so far are decryptable and you must not pay any form of ransom in order to decrypt them. Simply follow the instructions in the removal below in order to learn how you can use the Emsisoft Decrypter in order to decode your encoded files without paying any ransom, after removing the virus.

Amnesia 2 Ransomware – Removal

Before getting down to the decryption of your files, it is important to remove Amnesia 2 ransomware virus safely from your computer. You can do this either manually or automatically, preferably by following the removal instructions down below. They are specifically designed in order to help you delete the malicious files of this virus from your computer without damaging the encrypted files. For maximum effectiveness, malware removal experts strongly recommend to use an advanced anti-malware software which will help remove Amnesia 2 .am variant automatically from your computer.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share