Decrypt Amnesia ransomware with Emsisoft’s free decrypter

Decrypt Amnesia ransomware with Emsisoft’s free decrypter


Update (June 1st, 2017): Our Lab team has updated the Amnesia decrypter to support the newer variants. If you had issues previously, head to and download the latest version (

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for a new Delphi-based ransomware called “Amnesia”, which began to appear on 26th April 2017.

How the Amnesia ransomware works

The main infection vector of Amnesia appears to be via RDP (remote desktop services) brute force attacks, which allow the malware author to log into the victim’s server and execute the ransomware.

Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. It will also copy itself into the %APPDATA% directory using the file name “guide.exe” and register itself within the “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” key to start automatically during the next boot.

Since Amnesia ransomware does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\WindowsC:\Program Files and various other folders from the encryption operation, so that boot operation and other critical processes are not impacted.

Amnesia encrypts up to the first 1 MB of files using AES-256 encryption in ECB mode. Once the files are locked this way, the malware will append the “.amnesia” extension to them.

How Amnesia ransomware victims are supposed to pay

Amnesia victims are asked to contact the malware author via email to “[email protected]”.

How to remove Amnesia ransomware encryption using the Emsisoft decrypter

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts.

For infected users that have verified the ransomware type and are just looking for the decrypter, you can download it for free on Emsisoft’s decrypter site:

  • Amnesia ( covers the initial variants prior to June 1st, 2017
  • Amnesia2 ( covers all the latest variants

Have a great (ransomware-free) day!

  • BEzzell

    Will you be releasing a new version of the amnesia removal tool any time soon? Would a new version be successful where the current version is not?

  • BobbyJ

    Does not seem to be working with the most recent version of Amnesia. Will you be putting out a new version? Would be happy to pay for an update.

  • Tony Faiers

    Thanks for the superb software which appears to decrypt most files although it does fail on some stating that it cannot find the correct key, these seem to be ‘non-standard’ files, such as a .MDF file. Does the software not find one global ‘decrypt’ key that then allows it to decrypt all of the other files as it seems to have to work out a new decryption for each file it finds and there are hundreds, possibly thousands on the computer I’m trying to help repair which is going to take months to decrypt?

    • Fabian Wosar

      Amnesia2 creates a different key for every file. Therefore every file has to be broken separately. In addition, if file names aren’t encrypted, then the decrypter falls back on file format detection. Obviously no matter how many file formats we detect, there will always be some more file formats, we don’t. If there are some mission critical files you need, please send me one unencrypted file of that format and I will see if I can extract enough information from them to allow the file format analysis to recognise it.

      • Adam

        Thank you for the tool!

        Is it possible to decrypt brute force with GPU rather than CPU ? Some files dont decrypt some do, with thousands will take months as stated.

      • Turntable Maestro

        Hi Fabian thanks for making this! I have some important .dat files that are telling “couldn’t find the correct key” when trying to decrypt. How would I send you a file for analysis?

  • Paul

    Hi, so far version2 has decrypted every file it attempted to decrypt, but it has not tried to decrypt a lot of the files in the same folder, why is that, no errors it jsut ignores them, nothing in the logs either?

    • Fabian Wosar

      Can you please submit one of those files to [email protected]? Thanks.

      • Paul

        As request I have sent some files over, please advise if there is anything else you need.


  • Antonio Di Russo

    Thank you guys for this tool! Unfortnately it couldn’t decrypt a short .txt file containg sensible informations…
    We got a variant of this virus that calls itself FROGO which encrypts only files with particular extensions.
    If someone could help it would be appreciated!

    • Mostafa ElDeeb

      Hi, Have you found any solution for that sir, cause I’m facing the same problem

      • Antonio Di Russo

        Unfortunately I didn’t. There is a long sequence of numbers appended to the file, maybe that’s the way the decryptor the hackers provide uses it to retrieve the key used to encrypt the files.

        • Mostafa ElDeeb

          Ok, Thank you for your time :)

          • Antonio Di Russo

            You are welcome!

  • SB

    I just want to add my thanks to the list. We got hit this weekend with Amnesia and the Amnesia2 utilitity is hard at work. By estimation it will take 3 days or so to bring back the important stuff and everything else we either dont care about or have backups. All our sons medical records have been encrypted and are on their way back again. Thanks for giving us a second chance at our files.

  • A.C. Buehler

    Some of the decryption is going well. I am having problems getting any .db files to work. I am using the version. Any thoughts?

    • Fabian Wosar

      The decrypter probably doesn’t know the file format. If you send in a few unencrypted .db files so I can see if I can add format recognition somehow, I will gladly update the decrypter if possible.

      • A.C. Buehler

        Fabian: Thank you! How do you want me to post them to you? I rally appreciate it!!

        • A.C. Buehler

          I just found it and posted it on your upload page. A.C.

          • A.C. Buehler

            Emailed the same to your email address shown above. Thanks!

  • Dave Tuggle

    Hey there – Thanks for a great product. I am using version 2 of the decryptor and it did in fact decrypt two of the flies I had encrypted. The problem is that after the first file was decrypted it took a very long time to get to the next and decrypt it. It would seem to me that after it “cracked” the first that the rest would fall like Domino’s – Is that not the case? If it has to move at this rate then it’ll take a year to do all of these… Can someone please advise on this? Perhaps I’m missing something in the instructions. If this works, I will gladly donate to your cause here as this is a fantastic service.

    • Fabian Wosar

      Every file is encrypted with a different key. The decrypter tries to reuse what it learned from a previous file to decrypt the next file. However, that is only possible if the files’ order hasn’t been changed. The problem is that when the file name is encrypted as well, the order ultimately changes. Since the timestamps are manipulated by the ransomware, it is also impossible to reconstruct the order based on those. For the time being, you will unfortunately have to wait it out.

      • Dave Tuggle

        Thanks Fabian for the quick response – Considering my billing rates to the customer and the number of files encrypted I think we might be best to pay the ransom (backup was also encrypted) – Believe me, nothing pains me more to say that but these are critical files that I can’t have down for a week while the application works to decrypt them on an older CPU. I was under the wrong impression that it would be the same decryption key across the board so thank you for clearing that up.

        • West Oran Getrol

          Did you pay the ransom? Did anyone pay and get results? It seems this may be one of those that dont work paying because if every file gets its own key, what are they going to do, send 100,000 keys one for each file?

  • Jim Fus

    I was infected with the amnesia ransome ware and have successfully decrypted some of my files. I have now a month later tried to go back and decrypt more files and they will not open. It does decrypt the files but when I try to open them it says it is not a supported file format. ( pdf ). anything I could try?

  • Jim Fus

    I was infected with the amnesia ransome ware and have successfully decrypted some of my files. I have now a month later tried to go back and decrypt more files and they will not open. It does decrypt the files but when I try to open them it says it is not a supported file format. ( pdf ). anything I could try to fix this problem?

  • Geoff Gordon

    I am also stuck with the slowness of having to find a unique key for each file. My file names are not encrypted, but it is very very slow for each file. I have hundreds of thousands of files and don’t know if there is a better way to do this. I tried to do a restore from backup, but copying those files is a slow process as well and confusing because it doesn’t overwrite the infected file.

    They want ~$521 for ransom. Has anyone had success with that? Are they able to restore much more quickly?


    • West Oran Getrol

      anyone pay?

      • Geoff Gordon

        I paid…

        • After paying, did you have success in quickly retrieving all your files?

    • Ali Malik

      I did pay, and yes, this person sent a dycryptor, it was fast and everything, BUT, it did not decrypt everything, and we are still out of our main program.
      So when you are dealing with shady evil people, do not expect anything good in return

  • Michael Fenimore

    This past weekend a client’s Server 2003 SQL machine was hit with what appears to be the amnesia ransomware virus.
    However, from what I’ve gleaned about this one is it hits files over 1MB in size? Correct?
    But the files I’m seeing with the *.amnesia issues are much less. Like in the 100kb range and higher.
    The email address has also been changed in the text file. [email protected] is what’s listed and asking for .2 bit coins (~$500)
    The other issue is that the “original” file name is much less in file size. Most of them are 1KB files with the .amnesia files much larger.
    Is this a new variant?
    I really need to get this fixed. It is an animal shelter and their database system is inaccessible.

    Thanks for any pointers.

    – Mike

  • The instructions for Amnesia2 do not include the step of first including a file pair for analysis. Was that an oversight or is that no longer needed with the updated decrypter?

    • Fabian Wosar

      Correct. The Amnesia2 decrypter does not need an original file.

  • Vlad Muresan

    Hello, I was hit by amnesia 2 days ago and I lost all my work on the computer and the files that updated on google drive.
    I used your decrypter for amnesia 2 and it does not work. I choose the folder , I press decrypt and after 1 second it writes “finished “.
    Can it be that amnesia2 is now more powerfull or has released a new version ?

    I copied all the encryped files over to a external hdd and hope in the future that you will invent a new decrypter and save all my work.
    Will you ?

  • Saschalein

    Hi Fabian,

    you made an awesome job!
    One wish:
    The amnesia 2 variant i am dealing with did not change date and time of encrypted files, but after decrypting all files have current date and time.
    Can you imagine to make a further option to your amnesia2 decrypter “keep date and time” too.

    Thanks a lot!


    • Fabian Wosar

      I will keep it in mind, but I won’t publish an update just for that.

  • Kala krause

    Did not work for Cry 128. :(

  • Andrey Garasim

    May I send you my crypted file and original and text file? Message says that it Amnesia-virus but email different….maybe you could help me?