Amnesia

Description

Amnesia ransomware was first identified in May 2017, particularly affecting enterprise cloud environments. It does not appear to operate as Ransomware-as-a-Service (RaaS), and there is no public indication of a provider-led affiliate structure. The extortion model is single-stage—primarily file encryption without documented data theft or leak threats. It targets specific file types and resets their modified timestamps. Encrypted files may receive suffixes such as .amnesia, .@decrypt2017, .[Help244@Ya.RU].LOCKED, .CTB-Locker, and several others. Common ransom notes include files named HOW TO RECOVER ENCRYPTED FILES.TXT or RECOVER-FILES.HTML, typically placed in every folder. Executable names associated with its delivery include variants like guide.exe, update.exe, Happier.exe, bstarb.exe, among others. The encryption algorithm is AES-256, implemented in Delphi, and victims are instructed to contact the attackers via email addresses (e.g., decrypt@india.com). No high-profile incidents or geographic patterns have been publicly attributed to Amnesia.

External Analysis
https://elastio.com/amnesia/
https://elastio.com/detectable-ransomware/amnesia-2/
https://www.sonicwall.com/blog/amnesia-ransomware-continues-high-payment-trend-july-21-2017
https://www.emsisoft.com/en/ransomware-decryption/amnesia2/
Mail
decrypt@india.com
Urls
Screen
File servers
Screen
Chat servers
Screen
Admin servers
Screen