Amnesia targets Windows OS and is distributed via Remote Desktop Protocol (RDP) compromise conducted through brute force attacks. Once executed, Amnesia deletes the system's Shadow Volume Copies to prevent victims from restoring files without paying. It copies itself (guide.exe) into the %AppData% directory and creates a registry key within HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce to maintain persistence. Amnesia will encrypt all files on a machine with the exception of those within C:\Windows and C:\Program Files, as well as other folders that contain files critical to the boot process. It encrypts up to the first 1 MB of files using AES-256 and asks the victim to contact the hacker via email for payment amount and additional instructions.
Extensions appended to encrypted file names:
.amnesia, .@decrypt2017, .SON, .[Help244@Ya.RU].LOCKED, .BAGI, .onion, .TRMT
Ransom note file names:
HOW TO RECOVER ENCRYPTED FILES.TXT
Email addresses associated with Amnesia:
email@example.com, firstname.lastname@example.org, email@example.com
Image Source: PCRisk.com and Barkly