How to protect your servers against Amnesia malware attacks
Are you seeing files with any of these extensions in your server? – .01, .02, .amnesia, .[Help244@Ya.RU].LOCKED, .CRYPTOBOSS, .[email@example.com].SON and .@decrypt_2017. If so, then your server is hijacked.
One of the major ransomware virus that is circulating now is the Amnesia malware. Once infected, it locks up your entire server files and encrypts them in such a way that you can no longer use them.
The attackers then demand ransom to decrypt your data. The infected server would display the message:
YOUR FILES ARE ENCRYPTED! Your personal ID: [*************] Attention! What happened? Your documents, databases and other important data has been encrypted. If you want to restore files send an email to: firstname.lastname@example.org In a letter to indicate your personal identifier (see in the beginning of this document). Attention! * Do not attempt to remove the program or run the anti-virus tools. * Attempts to self-decrypting files will result in the loss of your data. * Decoders are not compatible with other users of your data, because each user's unique encryption key.
Today we’ll see how Amnesia malware can affect your servers and how you can protect them from an attack.
How Amnesia malware affects your Windows servers
Amnesia malware is a ransomware virus family that targets system files and encrypts them using AES-256 algorithm in ECB mode. It targets via RDP (remote desktop services), access the victim server and execute the malware.
The amnesia ransomware loads itself into the system’s memory and then encrypts all the files and rename them instantly. Then it generates a ransom note and displays it in the server.
It also gains information about the server details, data, approximate geographic location, IP address and unique decryption key before doing the encryption process. It affects all critical files and appends ‘.amnesia’ string to these files.
Once encrypted by the amnesia malware, the files will no longer be readable and may show up as blank icons. It also deletes the server’s recovery points so shadow copies cannot be used to recover the files once encrypted.
Though the malware displays a ransom note for you to get back your files, paying ransom and expecting the files to be returned to you, is the last thing you should be doing.