Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Decrypt Amnesia ransomware with Emsisoft’s free decrypter
#1
Quote:Update (June 1st, 2017): Our Lab team has updated the Amnesia decrypter to support the newer variants. If you had issues previously, head to decrypter.emsisoft.com/amnesia2 and download the latest version (1.0.0.41).

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for a new Delphi-based ransomware called “Amnesia”, which began to appear on 26th April 2017.

How the Amnesia ransomware works

The main infection vector of Amnesia appears to be via RDP (remote desktop services) brute force attacks, which allow the malware author to log into the victim’s server and execute the ransomware.

Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. It will also copy itself into the %APPDATA% directory using the file name “guide.exe” and register itself within the “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” key to start automatically during the next boot.

Since Amnesia ransomware does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\WindowsC:\Program Files and various other folders from the encryption operation, so that boot operation and other critical processes are not impacted.

Amnesia encrypts up to the first 1 MB of files using AES-256 encryption in ECB mode. Once the files are locked this way, the malware will append the “.amnesia” extension to them.

Read the full article :

http://blog.emsisoft.com/2017/05/06/decr...decrypter/
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Malware Analysis - Creating a Decrypter for Alpha Ransomware Pt. 3 baziroll 0 2,270 08-02-2017 , 12:41 AM
Last Post: baziroll
  Emsisoft vs Ransomware Follow Up baziroll 0 1,167 07-08-2017 , 12:27 AM
Last Post: baziroll
  Malware Analysis Session with Emsisoft CTO Fabian Wosar: 'Damage' Ransomware baziroll 0 1,567 05-09-2017 , 11:57 AM
Last Post: baziroll

Forum Jump:


Users browsing this thread: 1 Guest(s)