Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, May 1, 2015

How to Remove Alpha Crypt Virus and Restore Encrypted Files

Tell your friends:
Alpha Crypt is a Trojan ransom (ransomware) from the same malware family as TeslaCrypt. It encrypts your files using RSA-2048 encryption algorithm and then demands a ransom payment in order to decrypt your files ($500 USD in Bitcoins). Do you want to know what exactly it does, and how it infects your computer? If so you've come to the right place, so carry on reading as we uncover the mystery of this strangely named ransomware Alpha Crypt.

If you're pretty careful about what you do and don't download on your PC, it might shock you to know that in actual fact, you are almost wholly responsible for letting Alpha Crypt infect your computer. Why, you ask? It is because to enable a Trojan ransom to attack you in the first place, you must install the server component of the program. Of course, you don't do this wittingly; the ransomware has to con you into doing that. It will convince you that it is an innocent gift (or something useful) and that you really should accept it onto your PC.

Some variants of Alpha Crypt appear as pop-ups, caused by a previous infection of malware, others are packaged with files, apps or programs that are available for download on the internet, while others may be included as an attachment or link in an instant messenger chat app or an email sent to you by the programmer or disseminator of the malware. Open the attachment which is being distributed through the Angler Exploit Kit and, hey presto, you have triggered the ransomware simply by running the .exe file which will then install it. Once it is on your machine the server that the ransomware runs on will run the program each time you log on.

How much harm will Alpha Crypt do to me?

Plenty is the unfortunate answer to that. It is not nice, to say the least. It can cause serious issues that affect your hard drive and your operating system as well as your files, documents and other data. It will encrypt your files and append the .ezz extension to each of them. Since your files are encrypted and have this strange extension you can open them without a special decryption tool and decryption key. Both can be bought from cyber criminals. You just need to send then the RECOVERY_FILE.TXT file and of course pay a ransom. It's called AlphaTool Decryption Service. Don't get fooled, it's not your friendly decryption service run by geeks, it's in control of the same cyber criminals who created the Alpha Crypt ransomware. In short they can make using your computer an absolute nightmare – and that's not even taking into consideration the impact of lost data. When the encryption has finished, it will change your dekstop background to theHELP_TO_SAVE_FILES.bmp ransom note and then open the the HELP_TO_SAVE_FILES.txt ransom note. Finally it will open the Alpha Crypt encryptor program shown above. Bot the ransom note and encryptor program contain links and information on how you can pay pay the ransom to decrypt your files.

How can I ensure I don't get fooled by ransomware?

The good news is that there are things you can do to lower the risk of an attack from Alpha Crypt. Due to the way most ransom Trojans are spread, the biggest preemptive strike you can make is to never open emails if you don't know the sender. Opened one by mistake? Whatever you do, do not click on any links or open any attachments. The same goes for chat messages sent from unknown sources. You should also be wary even when you do know the sender before opening files or links as you never know if your contact has been hacked. Finally: a reputable antimalware – install one NOW if you haven't already!

What should you do if you've been infected by Alpha Crypt? Should you pay the fine?

In a word, no! There are two reasons for this: a) you're only encouraging further criminal activity and b) how do you know that you'll receive the decryption key anyway? If the encrypted files are not very important or you don't have money to pay the ransom, you can try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below like TeslaCrypt Decryption Tool by Cisco. Even better if you have backups or copies in the cloud. Please note that even of you decide to pay the ransom there's really no guarantee that cyber criminals will send you the private key and you will be able to decrypt your files. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing Alpha Crypt and related malware:

Before restoring your files from shadow copies, make sure Alpha Crypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Alpha Crypt virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Try the TeslaCrypt Decryption Tool by Cisco. Download TeslaDecrypt tool and run it.

Method 4: Try the TeslaDecoder Decryption Tool. Download TeslaDecoder tool and run it.

Method 5: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

The TeslaDecrypter tool from Cisco does not work in decrypting the Alpha Crypt varient encrypted files. The tool claims success, but the files are still encrypted, or are corrupted.

Anonymous said...

I have the same problem, files are still encrypted

Anonymous said...

Cisco tool does not work on Alpha Crypt, please help

Anonymous said...

The ISP is to blame they provide a free copy of McAfee and it doesn't do its job correctly.

Ron Hatfield said...

Actually, the user is totally to blame for any infection. Don't click on links in emails, don't open attachments unless you are specifically expecting an attachment. Your ISP? Really?

Anonymous said...

A friend of mine had his PC infected on the 5.5.2015 by this malware, 2 harddrives where infected by this Alpha Crypt Virus.
We had to reformat his C\drive and start from fresh.He still has W XP Pro and its taken a long time to get all the updates including service pack 3. Now everything is working again. So in order that this will not happen to you make regular backups of your files,but onto an external hard drive, after you have done this disconnect the hard drive, so if you get an other attack by this malware or any other virus your external hd will not be affected by this attack. Dont open any att or emails from persons you dont know!!!!