Amnesia targets Windows OS and is distributed via Remote Desktop Protocol (RDP) compromise conducted through brute force attacks. Once executed, Amnesia deletes the system's Shadow Volume Copies to prevent victims from restoring files without paying. It copies itself (guide.exe) into the %AppData% directory and creates a registry key within HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce to maintain persistence. Amnesia will encrypt all files on a machine with the exception of those within C:\Windows and C:\Program Files, as well as other folders that contain files critical to the boot process. It encrypts up to the first 1 MB of files using AES-256 and asks the victim to contact the hacker via email for payment amount and additional instructions.

Extensions appended to encrypted file names:
.amnesia, .@decrypt2017, .SON, .[Help244@Ya.RU].LOCKED, .BAGI, .onion, .TRMT

Ransom note file names:

Email addresses associated with Amnesia:,,

  • Emsisoft provides more information about Amnesia here.
  • Barkly provides more information about another Amnesia version here.
  • Emsisoft provides a free decryption tool for Amnesia here.

Image Source: and Barkly