On Saturday, Emsisoft’s CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released called CryptoBoss. This family of ransomware was named Amnesia based on the extension appended to encrypted files by the first variant.
The current list of known extensions used by Amnesia and that can be decrypted are:
.01 .02 .@decrypt_2017 .amnesia .CRYPTOBOSS .[email@example.com].SON .[Help244@Ya.RU].LOCKED
If you are infected with Amnesia, you will find ransom notes in every folder that a file was encrypted named HOW TO RECOVER ENCRYPTED FILES.TXT. You can see an image of this ransom note below.
For those who have been infected by the Amnesia Ransomware and have files that are encrypted, you can use the guide below to decrypt the files for free. If you need help decrypting your files, feel free to ask in the Amnesia Ransomware Help Topic.
How to Decrypt the Amnesia Ransomware
Victims of the Amnesia ransomware can be identified by their files being encrypted and renamed to the format of [filename].amnesia. For example, a variant would have a file named test.jpg renamed and encrypted as test.jpg.amnesia. An example of a folder of encrypted files can be seen below.
To decrypt files encrypted by the Amnesia ransomware, you need to first download the Amnesia Decryptor below.
In order to decrypt your files, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_Amnesia.exe icon at the same time. So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable. When trying to find a pair of files to use with the decryptor, you can use the sample pictures found in the C:UsersPublicPicturesSample Pictures folder. Just look at the file sizes and pick an unencrypted sample picture and an encrypted sample picture…