Barkly vs Malware
Barkly Research
May 2017

New Amnesia Ransomware Variant Adds [].SON Extension to Files


Files encrypted by the new .SON variant of Amnesia ransomware

A new variant of Amnesia ransomware has been spotted, but the good news is companies can stop attacks before files get encrypted (and decrypt encrypted files for free).

On Friday, May 5, Barkly came across a previously unseen variant of Amnesia ransomware circulating through an organization where multiple unsuspecting users were attempting to execute it (multiple times).

Since the ransomware had gotten past not one but two up-to-date antivirus tools the organization was using, we decided to take a closer look and determine what set this new variant apart from the original Amnesia, which Emsisoft malware researcher Fabian Wosar just released a free decrypter for.

Here's what we found.

.SON Ransomware Overview

MD5 hash: cf41961a1d3938368445e1d0d77c46c3

Amnesia first caught researchers' attention in late April 2017.

However, while the original version changes encrypted file extensions to .amnesia, the new variant we spotted encrypts the entire file name and adds the extension [].SON.

Ex: 30000000001wPoDDMR72me28tWJzWUuu.[].SON

The ransom note also differs slightly from the original Amnesia ransom note, and bears strong similarities to the note dropped by Dharma ransomware, copying large sections verbatim.

Amnesia ransom note (.SON version)

All your files have been encrypted!Your personal identifier[redacted]All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: byd@india.comYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. If you can't contact us by You can write to us on this mail: berwinwaylt@protonmail.chFree decryption as guaranteeBefore paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 10Mb. How to obtain BitcoinsThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. Also you can find other places to buy Bitcoins and beginners guide here:: Attention!Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decoders of other users are incompatible with your data, as each user has a unique encryption key

Dharma ransom note (for comparison)


It appears the attackers behind Amnesia are also taking a page out of the Dharma and Crysis ransomware playbook by infecting victims via insecure remote desktop (RDP) ports — a growing trend that's taken a particularly heavy toll on healthcare providers.

(if you haven't taken steps to secure remote desktop we strongly encourage you to hit pause here and read this post)

How This .SON Variant of Amnesia Ransomware Works

When the attack starts, one of the first things the ransomware does is check virtual memory to make sure it can evade sandbox detection by not running on machines with low memory.

Once it determines the coast is clear it hides a copy of itself in a temp directory using the file name svchost32.exe (C:\Users\<USER>\AppData\Roaming\svchost32.exe), then launches a bat file that deletes itself.

To make recovery more difficult for victims, it deletes shadow volume copies. To gain persistence, it registers itself within the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce key to automatically start back up after reboot.


True to form with other samples of Amnesia, the .SON variant does not target specific file types for encryption. That means it encrypts nearly every file on an infected machine. The exceptions are C:\Windows, C:\Program Files, and various other folders, which the ransomware leaves alone to keep the machine operating.

Filenames are encrypted so that they appear as long strings of characters, and extensions are replaced with [].SON. If this variant follows the Dharma ransomware pattern, the email address in the file extension may change in future editions.

Once files are encrypted, the ransomware drops a ransom note file titled HOW TO RECOVER ENCRYPTED FILES.TXT and replaces the victim's desktop with the background image below:


The ransom note directs the victim to email the attacker to get further instructions as well as to negotiate the ransom price (according to the note, "the price depends on how fast you write to us").

The emails provided in the note are:


In an attempt to appear trustworthy, the attackers offer to decrypt "up to 3 files free for decryption," though those files cannot contain "valuable" information and their total size has to be less than 10MB. They also attempt to dissuade victims from using decrypters, but unfortunately for them, Emsisoft's free Amnesia decrypter does work on this variant, too.

Using the Amnesia Ransomware Decrypter

Emisisoft's decryption tool provides victims who have had their files encrypted by the .SON variant of Amnesia a much-appreciated out. That said, the complete decryption and clean up process has the potential to be an extremely time-consuming and complicated task.

The decrypter works by brute forcing the decryption key, which can take several hours to do. Once the key is found, you can choose which files and folders you would like to decrypt and the process will begin.


The Emsisoft Amnesia ransomware decrypter in action

Note: Decrypted files will still have encrypted file names, and the file extensions need to be manually restored to the correct original, as well. Depending on how extensive the attack was and how many files were encrypted, this process may be prohibitive without additional help.

Proactively Blocking .SON and Any Other Amnesia Ransomware Variant Before Files Are Encrypted

Barkly utilizes runtime malware defense (RMD) to stop Amnesia ransomware infections before files are encrypted or any other damage is done (see it in action in the video below). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Amnesia is attempting to gain execution by suspicious means and stop it before it does.

Why blocking malware during runtime matters

By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.

That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.

Learn more about how RMD works here.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.