Amnesia
Description
Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not appear to operate as Ransomware-as-a-Service (RaaS), and there is no public indication of a provider-led affiliate structure. The extortion model is single-stage—primarily file encryption without documented data theft or leak threats. It targets specific file types and resets their modified timestamps. Encrypted files may receive suffixes such as .amnesia, .@decrypt2017, .[Help244@Ya.RU].LOCKED, .CTB-Locker, and several others. Common ransom notes include files named HOW TO RECOVER ENCRYPTED FILES.TXT or RECOVER-FILES.HTML, typically placed in every folder. Executable names associated with its delivery include variants like guide.exe, update.exe, Happier.exe, bstarb.exe, among others. The encryption algorithm is AES-256, implemented in Delphi, and victims are instructed to contact the attackers via email addresses (e.g., decrypt@india.com). No high-profile incidents or geographic patterns have been publicly attributed to Amnesia.
External Analysis |
https://elastio.com/amnesia/ |
https://elastio.com/detectable-ransomware/amnesia-2/ |
https://www.sonicwall.com/blog/amnesia-ransomware-continues-high-payment-trend-july-21-2017 |
https://www.emsisoft.com/en/ransomware-decryption/amnesia2/ |