Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, May 1, 2015

Encrypted Files (.ezz extension) Malware Removal Guide

Tell your friends:
If most of your files are encrypted and have a .ezz extension, for example docname.docx.ezz or image.jpg.ezz then your computer is almost certainly infected with the Alpha Crypt ransomware. It's a new veriant of the TeslaCrypt ransomware. Obviously, encrypted files cannot be opened by the standard program. They must be decrypted first but the problem is that you need to purchase your private key using Alpha Crypt service (AlphaTool Decryption Service) in order to do so. The fact that malicious software exists, and exists purely to do us harm, is yesterday's news. We all know about the proliferation of the various types of malware from spyware and Trojan Horses to Potentially Unwanted Programs and adware, but the one thing that we do need to be aware of is the fact that malicious software is in a constant state of self-improvement. If improvement is the right word to use! And that means that we need to educate ourselves about the latest programs if we are to arm ourselves with the best defense against attack.

With that in mind, I'm going to take a closer look at ransomware that encrypts your files and append the .ezz extension to them; an unpleasant type of malware that is definitely an inhabitant of the more viscous end of the malware scale.

What does Alpha Crypt do?

Well we're giving no prizes away for guessing and the clue is most definitely in the name here as ransomware has been designed to hijack, or kidnap your files or data and render them unusable. It then sends you a ransom note HELP_TO_SAVE_FILES.txt which demands payment for the release of the files. You will be paying for a code which purports to be the key to unlocking the encrypted data. However, take any promises to send you this code with a bucket load of salt. Many ransomware programmers simply take the money and run, which shouldn't come as any great surprise, considering the people we're dealing with here! Alpha Crypt can be no exception.

How does ransomware send you a ransom note?

A ransom letter in the malware world won't be carefully cut out letters from newspapers like in the films of our youth (depending on how old you are!) but will be sent via an email or displayed on your screen. Some ransom notes are pop-up windows, others, rather menacingly take over your entire screen. This ransomware simply drops multiple HELP_TO_SAVE_FILES.txt files in folders where at least one file was encrypted. It also changes desktop background to HELP_TO_SAVE_FILES.bmp which displays the same ransom note as in the text file.

And just to add to the panic that you're no doubt experiencing since finding your computer in lock down mode, ransom notes amp up the fear factor in order to get you to pay quickly by telling you that the code will be invalid and you'll never be able to retrieve your files if you don't pay by a certain date (usually within 3 days).

But hold on, as it gets worse. Some types of ransomware design the note to look as if it was sent by the FBI, CIA or other law enforcement or government agency. The note will explain, in no uncertain terms, that you are being investigated due to your habit of visiting suspicious websites or illegally downloading programs. Even if you KNOW you haven't been on any websites supporting terrorism or download explicit images, the worry is still there. Did you accidentally click a link that you didn't mean to? Did someone else use your computer? Does the FBI know about that episode of The Walking Dead that you downloaded last week?

So now what? Should you make the problem go away by paying the ransom? The answer is most emphatically no. Do not encourage these online scammers. If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .ezz. You can also use TeslaCrypt Decryption Tool by Cisco. It might just work with Alpha Crypt as well. But before restoring your files, please remove the ransomware and related malware files from your computer. Otherwise, you will simply waste your time. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing Alpha Crypt and related malware:

Before restoring your files from shadow copies, make sure Alpha Crypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Alpha Crypt virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Try the TeslaCrypt Decryption Tool by Cisco. Download TeslaDecrypt tool and run it.

Method 4: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


ken s said...

The Cisco Decryption tool didn't work for the ezz issues I have. This tool is supposed to work with ecc files (Tesla Encrypt) it seems.

José Antonio Arranz said...

change de extension ezz to ecc and solve it

Anonymous said...

even with the shift of extension .ezz to .ecc I doesn't work

Tudor Moldovan-Maniu said...

Jose, even if I changed the extensions the files was renamed with the original name and extensions but the file remain encrypted.

Admin said...

Don't change file extensions, otherwise you may simply corrupt your files. Wait until Cisco updates the Alpha/Tesla decryption tool. Currently, it only recognizes .ecc extension.

Anonymous said...

Hi there,

Tried to rename the extension files from ezz to ecc and then perform the TeslaDecrypter and it wont work as the files are not readable. Wonder any solutions?