Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Alpha Ransomware and Decrypt .Encrypt Files for Free

Alpha-ransomware-sensorstechforumUnlike other ransomware variants, this particular crypto-malware has an entirely different approach when it begins to extort users. Named Alpha ransomware by researchers, it drops a ransom note in every encrypted folder and demands 400 US dollars to be directly sent out to the cyber crooks in the form of an iTunes gift card. This genius way of thinking saves the cybercriminals time, makes the payment easier while anonymizing them. All users who have been affected should bear in mind that there is a relevant decryption method, due to a flaw in the code of Alpha ransomware and not pay the ransom money.

Threat Summary

Name Alpha
Type Ransomware
Short Description The ransomware encrypts files with a strong cipher and asks a 400$ ransom money as iTunes gift card for decryption.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Alpha

Download

Malware Removal Tool

User Experience Join our forum to Discuss Alpha Ransomware.

Alpha Ransomware – How Does It Infect

To successfully infect unsuspecting Windows users, the ransomware may use different methods to be widespread. The most common methods used by cyber-crooks to widespread ransomware may be divided into two types:

  • Directly distributing the malicious payload in a raw or an archived format.
  • Distributing the malicious executable via malicious JavaScript and exploit kits featured in malicious URLs.

In case the payload is directly distributed, you may encounter it in websites that pretend to provide a free program, wallpaper, emoticons and others, and such shady websites may trick you into downloading the malware onto your computer.

The other method of distribution Alpha ransomware may use is via malicious email web links. Such URLs may be featured in social media spam, emails or referral spam, such as Snip(.)tw referral traffic, for example.

There is also the likelihood of the Ransomware being dropped by other malware that has previously infected the victim PC. One example for this is Win32/TrojanDropper.Agent.RFT.

Alpha Ransomware In Detail

Once executed on the computer, the ransomware is reported by Symantec researchers and affected user to drop three files in different folders, which are a picture, later set as a wallpaper, the ransom note, and the “encryptor” module. The files may be as follows:

In %Desktop%:
Read Me (How Decrypt) !!!!.txt
In %Application Data%:
svchost.exe
In the user’s profile directory:
newstyle.jpg

The “svchost.exe” is a classic evasive maneuver by Alpha ransomware, making the process appear as if it is the original Windows svchost process. This may be the module which encrypts the user’s files, because it is being set as a process to run on Windows start up. This is done by adding values in the following registry subkey:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

The values added may contain the directory of where the fake “svchost” process is located, for example:

→ %SystemDrive%\Documents and Settings\{User’s Profile}\Application Data\Windows\svchost.exe

Furthermore, the Alpha ransomware may also modify other registry keys to disable certain processes or even access to Windows Task Manager. This is particularly cunning because, the user is helpless to stop manually the encryption process, even if he/she catches the ransomware while encrypting, which is very unlikely because such process is very fast.

Alpha Ransomware – File Encryption

The ransomware may begin scanning for and encrypting files with the following file extensions:

→ .txt .wb2 .psd .p7c .p7b .p12 .pfx .pem .crt .cer .der .pl .lua .asp .php .incpas .asm .hpp .h .cpp .c .drf .blend .apj .3ds .dwg .sda .ps .pat .cmd .bat .class .jar .java .fxg .fhd .fh .svg .bmp .vbs .png .gif .dxb .drw .design .ddrw .ddoc .dcs .csl .csh .cpi .cgm .cdx .cdrw .cdr6 .cdr5 .cdr4 .cdr3 .cdr .awg .ait .ai .agd1 .ycbcra .x3f .stx .st8 .st7 .st6 .st5 .st4 .srw .srf .sr2 .sd1 .sd0 .rwz .rwl .rw2 .raw .raf .ra2 .ptx .pef .pcd .orf .nwb .nrw .nop .nef .ndd .mrw .mos .mfw .mef .mdc .kdc .kc2 .iiq .gry .grey .gray .fpx .fff .exf .erf .dng .dcr .dc2 .crw .craw .cr2 .cmt .cib .ce2 .ce1 .arw .3pr .3fr .mpg .jpeg .jpg .mdb .sqlitedb .sqlite3 .sqlite .sql .sdf .sav .sas7bdat .s3db .rdb .psafe3 .nyf .nx2 .nx1 .nsh .nsg .nsf .nsd .ns4 .ns3 .ns2 .myd .kpdx .kdbx .idx .ibz .ibd .fdb .erbsql .db3 .dbf .db-journal .db .cls .bdb .al .adb .backupdb .bik .backup .bak .bkp .moneywell .mmw .ibank .hbk .ffd .dgc .ddd .dac .cfp .cdf .bpw .bgt .acr .ac2 .ab4 .djvu .pdf .sxm .odf .std .sxd .otg .sti .sxi .otp .odg .odp .stc .sxc .ots .ods .sxg .stw .sxw .odm .oth .ott .odb .rtf .accdr .accdt .accde .accdb .sldm .sldx .ppsm .ppsx .ppam .potm .potx .pptm .pps .pot .xlw .xll .xlam .xla .xlsb .xltm .xltx .xlsm .xlm .xlt .xml .dotm .dotx .docm .dot .txt .py .css .js .doc .docx .xls .xlsx .ppt .pptx .odt .csv .sln .aspx .html .cs .vbSource:Symantec

After encrypting the files, the Trojan may generate custom decryption keys, which may suggest to the usage of RSA encryption algorithm. The encryption keys are sent out to a foreign host which is the command and control center of the cyber-crooks. The domain extensions may differ, for example .biz, .info, etc.

The ransomware also drops a Read Me (How Decrypt) !!!!.txt document, which has the ransom message, written apologetically:

txt-document-sensorstechforum-decrypt-alpha“Greetings,
We’d like to apologize for the inconveniences, however, your computer has been locked. In order to unlock it, you have to complete the following steps:
1. Buy iTunes Gift Cards for a total amount of $400.00
2. Send the gift codes to the indicated e-mail address
3. Receive a code and a file that will unlock your computer.
Please note:,
– The nominal amount of the particular gift card doesn’t matter, yet the total amount have to be as listed above.
– You can buy the iTunes Gift Cards online or in any shop. The codes must be correct, otherwise, you won’t receive anything.
– After receiving the code and the security file, your computer will be unlocked and will never be locked again.
Sorry for the inconveniences caused.”

Not only this, but the wallpaper of the user is also changed to a well-designed gray wallpaper, that has the scary word encrypted on it.

Remove Alpha Ransomware and Restore the Encrypted Files

If you wish to remove the ransomware, make sure to back up the encrypted data first, so that you may try and restore it later. We recommend you NOT to reinstall Windows, and instead to use the tutorial below to locate the malicious executables, remove them and clean up your Windows Registry Editor.

Regarding the file restoration, fortunately, you have luck, because a decryptor, called “Alpha Decrypter” has been discovered. For more information, you can check step 3 – “Restore files encrypted by Alpha” in the instructions below. Either way, we advise you NOT to pay the ransom money because you assist the cyber-criminals, and you may decrypt your data for free.

Manually delete Alpha from your computer

Note! Substantial notification about the Alpha threat: Manual removal of Alpha requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Alpha files and objects
2.Find malicious files created by Alpha on your PC
3.Fix registry entries created by Alpha on your PC

Automatically remove Alpha by downloading an advanced anti-malware program

1. Remove Alpha with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Alpha in the future
3. Restore files encrypted by Alpha
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.