Remove Alpha Crypt from Your Computer - How to, Technology and PC Security Forum |

Remove Alpha Crypt from Your Computer

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Alpha Crypt is a recently released piece of ransomware that is a variation of the TeslaCrypt ransomware. As other threat from the same nature, Alpha Crypt encrypts certain types of files on the compromised machine and demands a payment in Bitcoins in order to restore the damaged data. Experts remind that the only safe way to protect your sensitive information from ransomware attacks is to backup your important documents on a regular basis.

NameAlpha Crypt
Short DescriptionThe malware encrypts user data and demands ransom money for their decryption.
SymptomsUsers may witness their files encrypted with the .ecc, .ezz and other file extensions.
Distribution MethodVia Trojans and exploit kits featured in malicious links and malicious e-mail attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Alpha Crypt
User Experience Join our forum to discuss Alpha Crypt.

Alpha Crypt’s Distribution

Experts report that the Alpha Crypt ransomware is distributed via the Angler Exploit Kit (EK). Files containing the EK and deliver the Alpha Crypt ransomware can be discovered in malicious online advertisements, prohibited torrent files or on web pages hosting malware. Alpha Crypt’s typical distribution method is through malicious attachments to spam email messages.

How Does Alpha Crypt Operate?

Once Alpha Cryptinfects a system, the ransomware connects to the C&C server, sending the user’s unique identifier along with the campaign ID. As soon as the information is received, the Command and Control server sends back a variety of ransom files, notes and instructions on how to decrypt data. The latter can be found in text files titled HELP_TO_SAVE_FILES.txt and RECOVERY_FILE.txt.

The threat then starts scanning the hard drives of the affected PC for certain files and then creates a %AppData%\key.dat file, where the encrypted data and the information about the encryption key are stored.

This particular piece of ransomware targets mainly personal files with the following extensions:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

As soon as Alpha Crypt encrypts a file a .ezz extension is added to it. This is one of the differences between Alpha Crypt and TeslaCrypt. In the TeslaCrypt encryption process, the file gets a .ecc extension.

Alpha Crypt may delete the Shadow Volume Copies in order to prevent the victims from restoring their files.

The Ransom Message

The moment Alpha Crypt is done with the file encryption, it switches the wallpaper on the user’s desktop with the %Desktop%\HELP_TO_SAVE_FILES.bmp ransom file. The Alpha Crypt program containing the detailed payment data, the ransom notes and links will also be opened.

Here is an example of Alpha Crypts’s ransom note:

Remove Alpha Crypt and Restore the Encrypted Files

To remove Alpha Crypt from your computer, you are recommended to install a reputable anti-malware software and run a scan in Safe Mode without any networking. It is recommended to use an offline installer which will enable you to install the app while offline before booting in Safe Mode, tutorial for which has been written below.

1. Boot Your PC In Safe Mode to isolate and remove Alpha Crypt
2. Remove Alpha Crypt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Alpha Crypt in the future
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Alpha Crypt threat: Manual removal of Alpha Crypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Restore Files Encrypted by Alpha Crypt

Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other methods. Here are several suggestions:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and other encryption algorithms:

Kaspersky Decryptors

Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

EaseUS Data Recovery

There is also the technical option to use a network sniffer:

Another way to decrypt the files is by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key.

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share