Alpha Crypt is a recently released piece of ransomware that is a variation of the TeslaCrypt ransomware. As other threat from the same nature, Alpha Crypt encrypts certain types of files on the compromised machine and demands a payment in Bitcoins in order to restore the damaged data. Experts remind that the only safe way to protect your sensitive information from ransomware attacks is to backup your important documents on a regular basis.
|Short Description||The malware encrypts user data and demands ransom money for their decryption.|
|Symptoms||Users may witness their files encrypted with the .ecc, .ezz and other file extensions.|
|Distribution Method||Via Trojans and exploit kits featured in malicious links and malicious e-mail attachments.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Alpha Crypt|
|User Experience||Join our forum to discuss Alpha Crypt.|
Alpha Crypt’s Distribution
Experts report that the Alpha Crypt ransomware is distributed via the Angler Exploit Kit (EK). Files containing the EK and deliver the Alpha Crypt ransomware can be discovered in malicious online advertisements, prohibited torrent files or on web pages hosting malware. Alpha Crypt’s typical distribution method is through malicious attachments to spam email messages.
How Does Alpha Crypt Operate?
Once Alpha Cryptinfects a system, the ransomware connects to the C&C server, sending the user’s unique identifier along with the campaign ID. As soon as the information is received, the Command and Control server sends back a variety of ransom files, notes and instructions on how to decrypt data. The latter can be found in text files titled HELP_TO_SAVE_FILES.txt and RECOVERY_FILE.txt.
The threat then starts scanning the hard drives of the affected PC for certain files and then creates a %AppData%\key.dat file, where the encrypted data and the information about the encryption key are stored.
This particular piece of ransomware targets mainly personal files with the following extensions:
→ .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
As soon as Alpha Crypt encrypts a file a .ezz extension is added to it. This is one of the differences between Alpha Crypt and TeslaCrypt. In the TeslaCrypt encryption process, the file gets a .ecc extension.
Alpha Crypt may delete the Shadow Volume Copies in order to prevent the victims from restoring their files.
The Ransom Message
The moment Alpha Crypt is done with the file encryption, it switches the wallpaper on the user’s desktop with the %Desktop%\HELP_TO_SAVE_FILES.bmp ransom file. The Alpha Crypt program containing the detailed payment data, the ransom notes and links will also be opened.
Remove Alpha Crypt and Restore the Encrypted Files
To remove Alpha Crypt from your computer, you are recommended to install a reputable anti-malware software and run a scan in Safe Mode without any networking. It is recommended to use an offline installer which will enable you to install the app while offline before booting in Safe Mode, tutorial for which has been written below.
Restore Files Encrypted by Alpha Crypt
Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other methods. Here are several suggestions:
To restore your data, your first bet is to check again for shadow copies in Windows using this software:
If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and other encryption algorithms:
Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:
There is also the technical option to use a network sniffer:
Another way to decrypt the files is by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key.