Remove Alpha Ransomware and Decrypt .Encrypt Files for Free - How to, Technology and PC Security Forum |

Remove Alpha Ransomware and Decrypt .Encrypt Files for Free

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Alpha-ransomware-sensorstechforumUnlike other ransomware variants, this particular crypto-malware has an entirely different approach when it begins to extort users. Named Alpha ransomware by researchers, it drops a ransom note in every encrypted folder and demands 400 US dollars to be directly sent out to the cyber crooks in the form of an iTunes gift card. This genius way of thinking saves the cybercriminals time, makes the payment easier while anonymizing them. All users who have been affected should bear in mind that there is a relevant decryption method, due to a flaw in the code of Alpha ransomware and not pay the ransom money.

Threat Summary

Short DescriptionThe ransomware encrypts files with a strong cipher and asks a 400$ ransom money as iTunes gift card for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Alpha


Malware Removal Tool

User ExperienceJoin our forum to Discuss Alpha Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Alpha Ransomware – How Does It Infect

To successfully infect unsuspecting Windows users, the ransomware may use different methods to be widespread. The most common methods used by cyber-crooks to widespread ransomware may be divided into two types:

  • Directly distributing the malicious payload in a raw or an archived format.
  • Distributing the malicious executable via malicious JavaScript and exploit kits featured in malicious URLs.

In case the payload is directly distributed, you may encounter it in websites that pretend to provide a free program, wallpaper, emoticons and others, and such shady websites may trick you into downloading the malware onto your computer.

The other method of distribution Alpha ransomware may use is via malicious email web links. Such URLs may be featured in social media spam, emails or referral spam, such as Snip(.)tw referral traffic, for example.

There is also the likelihood of the Ransomware being dropped by other malware that has previously infected the victim PC. One example for this is Win32/TrojanDropper.Agent.RFT.

Alpha Ransomware In Detail

Once executed on the computer, the ransomware is reported by Symantec researchers and affected user to drop three files in different folders, which are a picture, later set as a wallpaper, the ransom note, and the “encryptor” module. The files may be as follows:

In %Desktop%:
Read Me (How Decrypt) !!!!.txt
In %Application Data%:
In the user’s profile directory:

The “svchost.exe” is a classic evasive maneuver by Alpha ransomware, making the process appear as if it is the original Windows svchost process. This may be the module which encrypts the user’s files, because it is being set as a process to run on Windows start up. This is done by adding values in the following registry subkey:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

The values added may contain the directory of where the fake “svchost” process is located, for example:

→ %SystemDrive%\Documents and Settings\{User’s Profile}\Application Data\Windows\svchost.exe

Furthermore, the Alpha ransomware may also modify other registry keys to disable certain processes or even access to Windows Task Manager. This is particularly cunning because, the user is helpless to stop manually the encryption process, even if he/she catches the ransomware while encrypting, which is very unlikely because such process is very fast.

Alpha Ransomware – File Encryption

The ransomware may begin scanning for and encrypting files with the following file extensions:

→ .txt .wb2 .psd .p7c .p7b .p12 .pfx .pem .crt .cer .der .pl .lua .asp .php .incpas .asm .hpp .h .cpp .c .drf .blend .apj .3ds .dwg .sda .ps .pat .cmd .bat .class .jar .java .fxg .fhd .fh .svg .bmp .vbs .png .gif .dxb .drw .design .ddrw .ddoc .dcs .csl .csh .cpi .cgm .cdx .cdrw .cdr6 .cdr5 .cdr4 .cdr3 .cdr .awg .ait .ai .agd1 .ycbcra .x3f .stx .st8 .st7 .st6 .st5 .st4 .srw .srf .sr2 .sd1 .sd0 .rwz .rwl .rw2 .raw .raf .ra2 .ptx .pef .pcd .orf .nwb .nrw .nop .nef .ndd .mrw .mos .mfw .mef .mdc .kdc .kc2 .iiq .gry .grey .gray .fpx .fff .exf .erf .dng .dcr .dc2 .crw .craw .cr2 .cmt .cib .ce2 .ce1 .arw .3pr .3fr .mpg .jpeg .jpg .mdb .sqlitedb .sqlite3 .sqlite .sql .sdf .sav .sas7bdat .s3db .rdb .psafe3 .nyf .nx2 .nx1 .nsh .nsg .nsf .nsd .ns4 .ns3 .ns2 .myd .kpdx .kdbx .idx .ibz .ibd .fdb .erbsql .db3 .dbf .db-journal .db .cls .bdb .al .adb .backupdb .bik .backup .bak .bkp .moneywell .mmw .ibank .hbk .ffd .dgc .ddd .dac .cfp .cdf .bpw .bgt .acr .ac2 .ab4 .djvu .pdf .sxm .odf .std .sxd .otg .sti .sxi .otp .odg .odp .stc .sxc .ots .ods .sxg .stw .sxw .odm .oth .ott .odb .rtf .accdr .accdt .accde .accdb .sldm .sldx .ppsm .ppsx .ppam .potm .potx .pptm .pps .pot .xlw .xll .xlam .xla .xlsb .xltm .xltx .xlsm .xlm .xlt .xml .dotm .dotx .docm .dot .txt .py .css .js .doc .docx .xls .xlsx .ppt .pptx .odt .csv .sln .aspx .html .cs .vbSource:Symantec

After encrypting the files, the Trojan may generate custom decryption keys, which may suggest to the usage of RSA encryption algorithm. The encryption keys are sent out to a foreign host which is the command and control center of the cyber-crooks. The domain extensions may differ, for example .biz, .info, etc.

The ransomware also drops a Read Me (How Decrypt) !!!!.txt document, which has the ransom message, written apologetically:

We’d like to apologize for the inconveniences, however, your computer has been locked. In order to unlock it, you have to complete the following steps:
1. Buy iTunes Gift Cards for a total amount of $400.00
2. Send the gift codes to the indicated e-mail address
3. Receive a code and a file that will unlock your computer.
Please note:,
– The nominal amount of the particular gift card doesn’t matter, yet the total amount have to be as listed above.
– You can buy the iTunes Gift Cards online or in any shop. The codes must be correct, otherwise, you won’t receive anything.
– After receiving the code and the security file, your computer will be unlocked and will never be locked again.
Sorry for the inconveniences caused.”

Not only this, but the wallpaper of the user is also changed to a well-designed gray wallpaper, that has the scary word encrypted on it.

Remove Alpha Ransomware and Restore the Encrypted Files

If you wish to remove the ransomware, make sure to back up the encrypted data first, so that you may try and restore it later. We recommend you NOT to reinstall Windows, and instead to use the tutorial below to locate the malicious executables, remove them and clean up your Windows Registry Editor.

Regarding the file restoration, fortunately, you have luck, because a decryptor, called “Alpha Decrypter” has been discovered. For more information, you can check step 3 – “Restore files encrypted by Alpha” in the instructions below. Either way, we advise you NOT to pay the ransom money because you assist the cyber-criminals, and you may decrypt your data for free.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share