How to Remove Amnesia 2 Ransomware

How to Remove Amnesia 2 Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

Your files are Encrypted!
For data recovery needs decryptor.
To buy the decryptor, you must pay the cost of 0.5 Bitcoin.
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this form:
Email: [TEXT BOX]
Attach file:
Bitcoin address: [TEXT BOX]

Yet another ransomware virus is roaming the Internet. Amnesia 2 Ransomware is a ransomware Trojan. It the newest version of the infamous Amnesia Ransomware. Both viruses share the same distribution technique and, obviously, name. Amnesia 2 is a typical parasite of its class. It slithers in your PC unnoticed and wreaks havoc. This virus uses a combination of encrypting algorithms to secure both your files and the only decryption key. The victims are much more likely to pay for their memories than for their work. Therefore, the virus targets your personal files. Pictures, documents, videos, archives, etc. At the end of all encrypted files, the ransomware will add one of the following extensions: .SON, .Help244@Ya.RU] .LOCKED, .TRMT, .[].oled, .@decrypt_files2017, .CRYPTBOSS, .@decrypt2017. Once the encryption process is complete, the virus will display its ransom note. Don’t worry if you accidentally close the window which contains the note. You can find the file of the note saved as “RECOVER-FILES.HTML.” There is nothing interesting about the ransom note. It is quite typical. It briefly explains what had happened to your files. Amnesia 2 Ransomware demands 0.5 Bitcoin as a ransom. At the current exchange prices, 0.5 BTC will cost you $1,222 USD. We know that this sum is overwhelming. Don’t panic! Take a moment to consider the situation. We recommend against paying the ransom. You are dealing with cyber criminals here. They are offering a free file recovery to demonstrate their abilities. Don’t contact the hackers. They may use your email address to harass you later on. Your best course of action is to clean your PC. If you have a system backup saved on an external device, you can use it to restore your files. Before you plug-in the external memory, make sure your PC is clean. Otherwise, Amnesia 2 Ransomware will corrupt the external memory.

How did I get infected with?

Amnesia 2 Ransomware is spread via massive spam email campaign. The scammers attach corrupted files to appealing emails. The hackers have bedded malicious code into a file. It can be any type of file. Once you download such a corrupted document, the malicious code will execute and download the virus in silence. Prevention is always the best security. Be always vigilant and doubting. Scammers tend to write on behalf of well-known organizations and companies. Don’t fall victim of your carelessness. Check the sender’s contacts before opening the email. Simply, enter the questionable email into some search engine. If it was used for shady business, someone might have complained. Yet, this method is not flawless. New emails are created every day. If you are part of the first wave of spam messages, there can’t be any evidence. So, double check the sender. Let’s say you receive a message from an organization, go to their official website. Make sure you are on the right website. The crooks might have created an identical page to lure unaware users into downloading infected content. So, on the company’s official website you will be able to find a list of their authorized email addresses. Compare them with the one you have received a letter from. If they don’t match, you know what to do. Delete the spam email immediately. Also, look for suspicious signs. The reliable companies will use your real name. If a message starts with “Dear Friend” or “Dear Customer” this is a massive red flag. Proceed with caution.

Remove Amnesia 2

Why is Amnesia 2 dangerous?

You are dealing with criminals. Never forget it. These people will double-cross you for sure. In its ransom note Amnesia 2 Ransomware promises a free decryption of one file. This may not be the best idea. Contacting the crooks will result in trouble. They can use your email to contact you and harass you. Stay away from these people. Paying the ransom is not a recommended action. Practice shows that the hackers tend to ignore their victims. You will keep your part of the deal, yet, the hackers will not. There are cases where the victims paid but the crooks demanded more. Consider discarding your files. Clean your machine and start backing up your system regularly. This way you will be prepared if a ransomware strikes again. The sooner you remove Amnesia 2 Ransomware, the better. This virus is still under development. It may evolve into something more dangerous. Download a trustworthy anti-virus program and clean your machine for good!

Amnesia 2 Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Amnesia 2 Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Amnesia 2 encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Amnesia 2 encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment