Amnesia ransomware continues high payment trend


The SonicWall Capture Labs Threat Research team have recently observed a ransomware threat known as Amnesia. As predicted previously by Sonicwall, the trend of increasing the ransom payment demand has continued. This time last year, ransom demands only averaged a few hundred US dollars for file decryption. Most ransomware today have increased this amount to around 1 Bitcoin ($2629 at the time of writing this alert) as is the case here with the Amnesia ransomware.

Infection Cycle:

The Trojan makes the following DNS request:


The Trojan adds the following files to the filesystem:

  • %APPDATA%sevnz.exe (copy of original file) [Detected as GAV: Amnesia.RSM (Trojan)]
  • IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT (copied into every directory containing encrypted files)

All files that have been encrypted use the following filenaming convention:

  • {encrypted filename}.[]

The Trojan adds the following keys to the registry, the first of which is a unique ID for the infection:

  • HKEY_CURRENT_USERSoftwareaIYqDubteCKSoK temp “V4IAAAAAAADC0bNIxKaIH7JYV6699fOJvEi=G+RF6TCJ4cJBvLhWQGV+654JtVSw9RvdA56j7BpPGG32Za88GKSdzyey6Po=U+nGtFhb=e7wiDqx2fcJ6T0TZmNts3=uKH88QK1UWGHjigPKSRB4PWg3jiKTMZnFR7NTeH1momxGZguqRAzVlOh592AargphGyo+5o0bx39Uoh=bwM0O3m98fsAejkmm2RUQQYJ7SaBQd2AYI3SCM3JiL4uSCVPlK9EQbhCdhjn18jyDNmVp=nuK5YLLhISwFc5R=1=aZDM16W+xB0orn3okLFvs5LNGDrwEOXIXtUie3KKPgemZolrAZ4v7K0ZKLtJTu6eOY1PBa1hRmDMN1AKj2eSiZLtYSreoRC1KgdcK9fDoJfZL2sr9vdxMwogKCGvnA21YGVVlLLagjp35=ybaIdWlP1A95msz7SyZLpFs6WoJTcvurViRPGgWsUEpMbIy=lV+EJ0T0U1gDSydtsuffYcxyDk2f2rJCr5eIxOrwlIJlIhkDfEcuO=NKfkJZ6efwNwAXIeMXQfUdpg5k2EUu+R6sWOBcnnQkWUXSpZGUildgjL0OS5TXsCs60oLHMcyuMzip2sq7287OnFB8kz7javL9LcxUn2p17wAb7tW2wX3dKRhzL0Lqp5O2Z7uAiOEqmwYES3Ddjlh8gw2vVL4l1Wz7p92=divAAUeWLUte=J2dShKCLJK6ApQ4ct2w6gAfmdSPtc6Ko8dnujq1f6xcOVqTT8FBpqfBy6jd+8TwC1y0ndtHA6+sFBhFD4HDZcvIlguChgzRyK5TKK7l4”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce aIYqDubteCKSoK “%APPDATA%sevnz.exe”

The Trojan can be seen utilizing mshta.exe in order to run javascript as part of its infection process:

The infection is reported to the operators by using The response is a PNG file containing a single pixel:

The following text file is displayed on the screen:

We received the following email after following the instructions in the text file:

As there was no transaction history for the Bitcoin address (12X4P7HVpuhP535uTkETecGvZrV7A7T3oL), it is safe to assume that multiple Bitcoin addresses are used rather than a single address.

The Trojan disabled our ability to reboot the system when run on WindowsXP:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Amnesia.RSM (Trojan)
  • GAV: Amnesia.RSM_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.