A new version of BTCware ransomware has came out, following the .MASTER variant. It is now calling itself Aleta ransomware and encrypts the files on compromised computers using the .aleta file extension as a suffix. The ransomware infection then aims to perform multiple different notifications to the victim that he or she must pay a ransom in BTC to get the files back. The virus also leaves behind the [email protected] e-mail for contact. If your computer has been infected by this ransomware virus, we recommend you to read this article and learn how to remove It and decrypt your files for free.
|Short Description||Encrypts the files on the infected computer using AES cipher after which asks for a payment in BitCoin.|
|Symptoms||A black-green wallpaper, starting with “ALETA RANSOMWARE”. Files encrypted with the .aleta file extension. A ransom note, named #_READ_ME_#.inf.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Aleta |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Aleta.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Aleta Ransomware – Activity Report
The ransomware, dubbed Aleta because of the green-black wallpaper which It uses can slither onto your computer via spammed e-mails. Such e-mail addresses often have embedded e-mail attachments that can infect your computer with the aid of various exploits, web-injectors, fake updates, repacked and infected program installers. These malicious objects can also be met on other online places such as torrent websites as well as suspicious software distribution sites.
When the victim opens the malicious object, the virus begins to insert multiple processes in Windows Command Prompt in order to remain obfuscated from antivirus programs. When an infection takes place, the virus begins to immediately drop it’s malicious files o the compromised computer. They are configured to delete the shadow volume copies on the infected machine via the vssadmin command in Windows command prompt:
After this has been performed the ransomware virus drops it’s ransom note, named #_READ_ME_#.inf which has the following message to victims:
[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price
[ATTENTION] Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours – your key has been deleted and you cant decrypt your files
In addition to this, the Aleta ransomware also changes the wallpaper of the infected computer by utilizing various commands.
For it’s encryption process the Aleta variant of BTCWare ransomware uses the AES algorithm. This cipher has been utilized by the malware with the one and only purpose of rendering the files on the infected computer no longer openable. The virus then sets the .aleta file extension on the encrypted files as a suffix along with the cyber-criminals’ e-mail.
Despite that the cyber-criminals who are behind the Aleta ransomware infection have made efforts to scare off the victims into paying the ransom, security experts have managed to create a decryptor for the ransomware infection. We have created instructions on how the decrypter works below and if you are a victim of the Aleta ransomware virus, we recommend you to read them carefully.
Remove Aleta Ransomware from Your Computer
For the effective removal of the Aleta threat, you must isolate the virus in Safe Mode first. Then, we recommend removing it with the aid of an advanced anti-malware tool, which can be installed in regular Windows mode before hand. Such tool not only will fully, safely and easily remove Aleta’s virus files from your computer but will also protect your PC from future attacks.
Manually delete Aleta from your computer
Note! Substantial notification about the Aleta threat: Manual removal of Aleta requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove Aleta by downloading an advanced anti-malware program
Decrypt Files Encrypted by Aleta BTCWare Ransomware for Free
After removing the threat, all that is left is to decode the encrypted files. To perform this, follow these instructions:
In order to decrypt your files, first you should download the decrypter for BTCWare (Aleta is a BTCWare variant) by Michael Gillespie which contains the master decryption key:
After saving, the decrypter for Aleta ransomware, disable your antivirus, so It won’t block it. Then copy the decrypter somewhere where it can be easily found and open it.
After extracting the decrypter, start it and click on the “Select Directory” button after which navigate to a directory you wish to decrypt. Then simply decode the files in the directory by clicking on the “Decrypt” button:
Proceed this activity with the other directories as well for their decryption.