A new variant of Amnesia ransomware has been spotted, but the good news is companies can stop attacks before files get encrypted (and decrypt encrypted files for free).
On Friday, May 5, Barkly came across a previously unseen variant of Amnesia ransomware circulating through an organization where multiple unsuspecting users were attempting to execute it (multiple times).
Since the ransomware had gotten past not one but two up-to-date antivirus tools the organization was using, we decided to take a closer look and determine what set this new variant apart from the original Amnesia, which Emsisoft malware researcher Fabian Wosar just released a free decrypter for.
Here's what we found.
MD5 hash: cf41961a1d3938368445e1d0d77c46c3
Amnesia first caught researchers' attention in late April 2017.
Continuing the trend of new delphi ransomware. Amnesia ransomware uses .amnesia and HOW TO RECOVER ENCRYPTED FILES.TXTNot Globe ransomware. pic.twitter.com/18PbFeAl2V— xXToffeeXx (@PolarToffee) May 1, 2017
However, while the original version changes encrypted file extensions to .amnesia, the new variant we spotted encrypts the entire file name and adds the extension [firstname.lastname@example.org].SON.
The ransom note also differs slightly from the original Amnesia ransom note, and bears strong similarities to the note dropped by Dharma ransomware, copying large sections verbatim.
==================================================================================================== All your files have been encrypted!Your personal identifier[redacted]All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: email@example.comYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. If you can't contact us by mail:firstname.lastname@example.org You can write to us on this mail: email@example.comFree decryption as guaranteeBefore paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 10Mb. How to obtain BitcoinsThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here:: http://www.coindesk.com/information/how-can-i-buy-bitcoins Attention!Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decoders of other users are incompatible with your data, as each user has a unique encryption key ====================================================================================================
It appears the attackers behind Amnesia are also taking a page out of the Dharma and Crysis ransomware playbook by infecting victims via insecure remote desktop (RDP) ports — a growing trend that's taken a particularly heavy toll on healthcare providers.
(if you haven't taken steps to secure remote desktop we strongly encourage you to hit pause here and read this post)
When the attack starts, one of the first things the ransomware does is check virtual memory to make sure it can evade sandbox detection by not running on machines with low memory.
Once it determines the coast is clear it hides a copy of itself in a temp directory using the file name svchost32.exe (C:\Users\<USER>\AppData\Roaming\svchost32.exe), then launches a bat file that deletes itself.
To make recovery more difficult for victims, it deletes shadow volume copies. To gain persistence, it registers itself within the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce key to automatically start back up after reboot.
True to form with other samples of Amnesia, the .SON variant does not target specific file types for encryption. That means it encrypts nearly every file on an infected machine. The exceptions are C:\Windows, C:\Program Files, and various other folders, which the ransomware leaves alone to keep the machine operating.
Filenames are encrypted so that they appear as long strings of characters, and extensions are replaced with [firstname.lastname@example.org].SON. If this variant follows the Dharma ransomware pattern, the email address in the file extension may change in future editions.
Once files are encrypted, the ransomware drops a ransom note file titled HOW TO RECOVER ENCRYPTED FILES.TXT and replaces the victim's desktop with the background image below:
The ransom note directs the victim to email the attacker to get further instructions as well as to negotiate the ransom price (according to the note, "the price depends on how fast you write to us").
The emails provided in the note are:
In an attempt to appear trustworthy, the attackers offer to decrypt "up to 3 files free for decryption," though those files cannot contain "valuable" information and their total size has to be less than 10MB. They also attempt to dissuade victims from using decrypters, but unfortunately for them, Emsisoft's free Amnesia decrypter does work on this variant, too.
Emisisoft's decryption tool provides victims who have had their files encrypted by the .SON variant of Amnesia a much-appreciated out. That said, the complete decryption and clean up process has the potential to be an extremely time-consuming and complicated task.
The decrypter works by brute forcing the decryption key, which can take several hours to do. Once the key is found, you can choose which files and folders you would like to decrypt and the process will begin.
The Emsisoft Amnesia ransomware decrypter in action
Note: Decrypted files will still have encrypted file names, and the file extensions need to be manually restored to the correct original, as well. Depending on how extensive the attack was and how many files were encrypted, this process may be prohibitive without additional help.
Barkly utilizes runtime malware defense (RMD) to stop Amnesia ransomware infections before files are encrypted or any other damage is done (see it in action in the video below). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Amnesia is attempting to gain execution by suspicious means and stop it before it does.
By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.
That gives organizations crucial protection they're currently missing — another opportunity to block an attack even after a user has mistakenly opened an infected document, visited an malicious website, etc., and even after it's bypassed their AV.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends stright to your inbox.