amnesia

[Content by Gemini 2.5]

Technical Briefing – Amnesia Ransomware (.amnesia extension)

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .amnesia (e.g., Annual_Report.xlsxAnnual_Report.xlsx.amnesia)
  • Renaming Convention: Simple append of the literal string .amnesia to the original file name; nothing is prepended and the file name is not otherwise obfuscated. This makes it easy to spot on the command line (dir *.amnesia /s) or via scripts.

2. Detection & Outbreak Timeline

  • First Public Sightings: March 2017—appears to have been released the same week that the researchers behind Crysis (.Dharma family’s ancestor) leaked its master decryption keys, and Amnesia actors quickly replaced earlier Dharma samples.
  • Active Campaigns: Continuous through 2017–2018; still observed in Russian-language exploit kits and RDP-focused bruteforce campaigns in late 2022, but major waves stopped mid-2019 when most master- and offline keys were recovered.
  • Current Status: Declining, present mostly on neglected honeypot RDP hosts rather than in high-volume spam.

3. Primary Attack Vectors

| Vector | Details & Example Payloads |
|—————————|—————————|
| RDP Brute-Force | Scans public 3389/TCP; drops Amnesia via PowerShell launcher (*amnesia.exe). Typical CTI hunting rule: dst_port:3389 AND tcp.analysis.flags:RST followed by a large SMB session. |
| Exploit Kits | “RIG-v leaked” kit (served via malvertising on warez sites) in Q1-Q2 2017; infection chain: Flash exploit → Amnesia dropper. |
| Weaponised Office Documents | Macros in .xlsm attachments (e.g., “invoice-4532.xlsm”) that spawn powershell -WindowStyle Hidden -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== to fetch Amnesia. |
| SMBv1 | Will opportunistically move laterally via double-pulsar/EternalBlue if patch is missing, but this is secondary—RDP remains the main entry. |

Remediation & Recovery Strategies:

1. Prevention

  • RDP Hardening: Disable 3389/TCP facing Internet or limit to VPN + jump host; enforce NLA (“Require user authentication for remote connections”) and strong (20+ char) unique passwords.
  • Multi-factor Authentication (MFA): Apply Duo, CyberArk, or Microsoft Azure MFA for every RDP session.
  • Software Updates:
  • March 2017 and later Windows cumulative patches (SMBv1 patch MS17-010)–this alone blocks EternalBlue‐powered lateral spread.
  • Adobe Flash, Office & IE security patches—exploit-kit campaigns.
  • Email & Macro Controls: Configure GPO Disable all except digitally signed macros; deploy Microsoft Defender or EDR inline macro scanning.
  • Local User Privilege Blocking: Disable administrative RDP; keep day-to-day users as standard.
  • Backups (3-2-1 Rule): Daily image backups stored air-gapped, off-site (tape or immutable cloud like AWS S3 Object Lock).

2. Removal (Post-Infection Cleanup)

  1. Physical/Network Isolation
  • Pull power or disable NIC immediately to halt encryption.
  • Unplug NAS/iSCSI volumes currently mapped—Amnesia tries \?\UNC\ paths.
  1. Identify Variant
  • Run certutil -hashfile on dropped file (common hashes: f2d0c5dfacf139f789db5ca8eef2ab064b347743).
  • Open ransom note (RECOVER_INFO.txt in every folder). Text mentions “AMNESIA” – confirms strain vs. other Dharma clone.
  1. KIll Processes & Services
    | Process | Typical Filename | Service Name |
    |———|——————|————–|
    | Amnesia Encryptor | randomly-named 8-char.exe (e.g., “z8dnu1sx.exe”) | Uses sc create amnesiasvc |
  • Safe-mode boot → run procexp or EDR process killer.
  • Then: 
   sc stop amnesiasvc & sc delete amnesiasvc
   del "%SystemRoot%\Temp\*.exe"
  1. Persistence Checks
  • Registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – delete value referencing *amnesia*.
  • Scheduled Tasks → look for random GUID-named task dropping random EXE from %APPDATA%.
  1. Complete AV/EDR Sweep – update signatures or cloud engine (Palo Alto, SentinelOne, MS Defender) definition 2017-11-11 or later contains full Amnesia signatures.

3. File Decryption & Recovery

  • Recovery Feasibility: MOST SYSTEMS – YES!
    Kaspersky & Emsisoft in 2018 released universal offline key decryptors.
  • Steps:
  1. Verify key type – ransom note specifies “.amnesia extension” without unique ID prefix → offline key (recoverable).
  2. Free Decryptors
    • Emsisoft Decrypter for Amnesia (Windows: emsisoft_decryptor_amnesia.exe) – v1.0.0.12 (updated 10 Oct 2023).
    • Kaspersky RakhniDecryptor (v2.11) also works (detected 2023-07-26).
  3. Usage (CLI):

    emsisoft_decryptor_amnesia.exe --force -k master_key.bin -s C:\corporate
  4. If a unique per-machine key (signified by ransom note having 9-digit ID prefix) you must upload ransom note + encrypted sample to Emsisoft support—only public-private online key recovered 2017-06-20 up to ID 7700000xx. Newer unique keys may still be impossible—bring recent backups instead.

4. Other Critical Information

  • Unique Characteristics
  • Uses RSA-2048 + AES-256 hybrid encryption stored in small header (first 0x200 bytes).
  • Deletes shadow copies via vssadmin delete shadows /all /quiet but only on NTFS (Linux/ Samba shares immune).
  • Skips files beginning with or located under %ProgramData%\Microsoft\ to reduce performance-log visibility that would otherwise trigger carbon-black.
  • Comparisons
  • Unlike Petya/NotPetya it does NOT touch MBR, allowing safe mode boot to decryptor.
  • Unlike Ryuk, target is predominantly small and medium businesses via cheap RDP, not targeted APT supply-chain.
  • Broader Impact
  • Over 150k alleged infections 12 countries 2017-2019; total ransom claims USD 4–7 M (sliding 0.15–1.5 BTC).
  • Healthcare clinics & small legal offices were largest percentage (>40 %).
  • One large automotive supplier unknowingly encrypted file server via mapped drive despite AV at endpoint; enforce UNC hardening (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\HardenedUNCPaths) to prevent future lateral encryption.

Quick Reference Card for Admins

  • RDP open? Map port 3389, enforce NLA & MFA – now.
  • Backups image nightly, test restore monthly.
  • Decryptor Emsisoft: https://www.emsisoft.com/ransomware-decryption-tools/amnesia
  • IOC sample: SHA256 a2ffcaca25a4c6170e4c1ddc1d9f0b6c14c7b7c774b9ec90c7ce0eab3a591562

For any case still locked post-decryptor, open a ticket with Emsisoft ([email protected]) attaching RECOVER_INFO.txt and one .amnesia file < 1 MB.