.amnesia Files Virus (Scarab Ransomware) – Remove and Restore Data

.amnesia Files Virus (Scarab Ransomware) – Remove and Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


This article provides detailed removal instructions for the latest variant of Scarab ransomware dubbed .amnesia files virus. Several file restore methods could be find as well.

A new version of Scarab ransomware has been released in active attack campaigns. It encrypts target files with the help of strong cipher algorithm and then designates them with the specific extension .amnesia. Apparently, the name of the latest Scarab version is a derivative of the extension it appends to corrupted files. Another trait of .amnesia crypto virus is the ransom note file HOW TO RECOVER ENCRYPTED FILES.TXT it drops on the desktop. Keep reading to find out how to remove the ransomware and restore encrypted .amnesia files without paying the ransom.

Threat Summary

Name.amnesia Files Virus
TypeRansomware, Cryptovirus
Short Description Encrypts valuable files stored on the compromised computer and then blackmails victims to pay a ransom in order to get them back.
SymptomsEncrypted files have the extension .amnesia appended to them. The ransom note is dropped in a file named HOW TO RECOVER ENCRYPTED FILES.TXT
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .amnesia Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .amnesia Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.amnesia Files Virus – Methods of Distribution

The infection file that triggers .amnesia files virus could be spread with the help of various techniques. Some of the most common are email spam messages, malicious email attachments, malicious URLs, infected software setups and fake updates.

In order to trick you into infecting yourself with the ransomware hackers could send you an email with spoofed email address and sender name. So you should act wisely even when you receive emails that pose as representatives of well-known companies or institutions. Especially if the emails incorporate file attachments described as important documents that need to be reviewed as soon as possible. In case that you make the mistake to open the malicious file you automatically grant access to .amnesia ransomware to your system.

Emails of the same kind could also present suspicious URLs in their main part. Once you click the link it lands you on a corrupted web page that is set to download the ransomware payload directly on your system.

.amnesia Files Virus – Impact

At first, .amnesia crypto virus needs to establish all infection files on the system. For the purpose it could spawn a lot of processes, create several malicious files and modify system settings.

There are several essential system folders that are often used by ransomware to store their malicious files. The .amnesia crypto virus is not an exception and as the analyses of its samples reveal it creates and drops malicious files on the following folders:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %Common%
  • %{User’s Profile}%

However, the files associated with the infection are not that easy to identify as it could use the names of legitimate system files and processes. That’s why it is recommendable to use the help of an advanced anti-malware tool during the removal process. Such a program could easily analyze the code of all files stored on the system and detect the ones that have some malicious traits.

Before the encryption process, this new iteration of Scarab ransomware enters the Registry Editor to modify auto-execute functionalities and this way ensure its persistent presence on the infected host. By creating malicious values under some specific registry sub-keys, .amnesia ransomware is able to run its malicious files on each Windows start. Targeted registry keys are usually Run and RunOnce as they manage the automatic execution of all essential processes needed for the regular system load.

The final stage of .amnesia infection is reached when a specific ransom message associated with the ransomware appears on the PC screen. The message could be dropped on the desktop in a file named HOW TO RECOVER ENCRYPTED FILES.TXT. It informs the following:

Your personal ID
Your files, documents, photo, databases and all the rest aren’t
They are ciphered by the most reliable enciphering.
It is impossible to restore files without our help.
You will try to restore files independent you will lose files

You will be able to restore files so:
to contact us by e-mail: [email protected]
* report your ID and we will switch off any removal of files
(if don’t report your ID identifier, then each 24 hours will be
to be removed on 24 files. If report to ID-we will switch off it)
* you send your ID identifier and 2 files, up to 1 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
you pay and confirm payment.
after payment you receive the DECODER program. which you restore ALL YOUR FILES.

You have 72 hours on payment.
If you don’t manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail: [email protected]
* If you don’t waste time for attempts to decipher, then you will be able to restore all files in 1 hour.
* If you try to decipher – you can FOREVER lose your files.
* Decoders of other users are incompatible with your data as at each user unique key of enciphering
If it is impossible to communicate through mail
* Be registered on the website http://bitmsg.me (service online of sending Bitmessage)
* Write the letter to the address BM-2cVNaCJejHJpnyLrtXYGJVfVdviHfa1jpd with the indication of your mail and the personal identifier and we will communicate.

If you have no bitcoins
* Create Bitcoin purse: https://blockchain.info
* Buy Bitcoin in the convenient way
https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard)
https://www.buybitcoinworldwide.com/ (Visa/MasterCard)
https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)
– It doesn’t make sense to complain of us and to arrange a hysterics.
– Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.
Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.
– Just contact with us, we will stipulate conditions of interpretation of files and available payment, in a friendly situation

.amnesia Files Virus – Encryption Process

As regards the main purpose of .amnesia files virus it is the encryption of target file types stored on the compromised device. For this purpose, it utilizes the strong AES cipher algorithm that modifies the original code of each target file. Once encrypted files receive the extension .amnesia and remain out of order until a working decryption solution is applied to them. They could be also recognized by the strange names that are renamed with base64.

As a result of infection your documents, images, projects, videos, text files, databases and other files that store valuable information could be encrypted. The most common types of files encrypted by ransomware viruses are the following:


Hackers demand a ransom payment in order to provide decryption solution for .amnesia files. The ransom amount is not specified but it should be supposedly transferred in Bitcoin. Have in mind that its payment doesn’t guarantee the decryption of your files. In many cases, infected users pay the ransom and don’t receive any key or decryptor. It is advisable to try alternative methods to restore .amnesia files.

Remove .amnesia Crypto Virus and Restore Files

The step-by-step removal guide below provides both manual and automatic approaches. Beware that the removal of .amnesia Files Virus is not an easy task. It is a severe threat that plagues the whole system. For maximum efficiency, security researchers recommend the help of advanced anti-malware tool.

After you fulfill the removal process make sure to check the “Restore Files” step available in our guide below. But before that be advised to back up all encrypted files to an external drive and prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share