The AMBA virus, notorious for the fact that it encrypts the databases of websites with .amba file extension added to them has appeared on the radar. The crypto-virus directly attacks the “Index Of” belonging to websites whose servers are not properly secured. Its ransom note is written entirely in Russian language, and its variants have been reported to exist since the year 2013. All website publishers whose servers have been affected by the Amba ransomware are strongly advised to export the files and try to decrypt them instead of paying the requested ransom money.
|Short Description||Encrypts files of websites on infected servers and asks for ransom payoff for their decryption.|
|Symptoms||The user may witness a ransom note as a text document written in Russian, named “ПРОЧТИ_МЕНЯ.txt”.|
|Detection Tool|| See If Your System Has Been Affected by AMBA |
Malware Removal Tool
|User Experience||Join our forum to Discuss WildFire Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
AMBA Ransomware’s Distribution Scheme
Since Amba ransomware attacks mostly servers, it may use different approach instead of the convention massive spam campaign. For example, if the server is located in a network with other devices, the virus may use a worm to spread across the network to other devices. In addition to this, the creators of Amba may also send malicious URLs directly on the website as spam comments. Such web links may redirect to other URLs which may cause the infection via a drive-by-download. Another possibility is a targeted attack with a Trojan.Downloader, which can download AMBA ransomware’s malicious files, directly on the server.
AMBA Ransomware Viewed In Depth
As soon as it is executed on a given machine, AMBA begins to encipher files that are web server related, for example they may have the following extensions:
→ .4UI .ADB .AFP .ANH .ANTMPL .AO .AP .ARTICLE .AVERY .BCF .BCP .BIZ .BLK .BOOK .BPF .BRO .BRO .BTW .CADOC .CAJ .CAL .CBF .CD2 .CDF .CDML .CDOC .CEDPRJ .CH3 .CL2ARC .CL2DOC .CL2LYT .CL2TPL .CLD .CLKB .CLKBD .CLKC .CLKD .CLT .CNDX .COMICDOC .COMICLIFE .COMPOSITIONTEMPLATE .COV .CPE .CPH .CPY .CRTR .CSD .CST .CVW .CW .CWT .DCX .DMTEMPLATE .DOT .DPD .DRMX .DRMZ .DTL .DTP .DTX .DWDOC .EDRWX .ENC .ENV .FADEIN .FAX .FCDT .FD2 .FDD .FDT .FLB .FM .FOLIO .FORM .FP3 .FR3 .FRDOC .FRF .FSD .FXM .GEM .HCR .HFD .HFT .HMK .HPD .HPT .ICAP .ICML .ICMT .IDAP .IDML .IDMS .IDPK .IFD .ILDOC .IMM .IMTX .IMX .INCD .INCT .INCX .IND .INDB .INDD .INDL .INDP .INDS .INDT .INFOPATHXML .INP .INX .ISALE .ISALETEMPLATE .ISALLIC .ISD .JTP .JTX .JTX .LAB .LBL .LBL .LLD .LMA .LPDF .LSC .LST .LTF .MAILSTATIONERY .MARS .MAX .MBBK .MCSP .MCSX .MDI .MFO .MFP .MFT .MGA .MIF
After encrypting the databases of websites, the AMBA virus adds its own “trademark” – the AMBA file extension. Files of websites encrypted by AMBA look like the following image, reported by Amigo A – malware researcher at id-ransomware.blogspot.bg:
After encrypting the files on the website of the server, AMBA ransomware uses a text file to notify users that their files have been encrypted. The file is named ПРОЧТИ_МЕНЯ.txt and has the following message in it:
The ransom message translates to the following:
Remove AMBA Ransomware from Your Server
To get rid of AMBA ransomware, we strongly advise you to make sure to isolate the threat first. We have prepared a removal on how to get in safe mode and hopefully stop any processes which belong to AMBA Ransomware. You may also want to restore your files, for which there is no current decryptor. We have prepared instructions below which will help you to remove AMBA ransomware effectively from Windows servers and try to restore your files.
If you want to use the manual removal instructions, we advise you to look for it in the system folders of your server. In case you cannot find them and find any registry entries associated with AMBA, we advise you to follow the automatic removal instructions which are also recommended by experts. They include instructions on how to try alternative methods to get your files back.