How to remove Alpha Crypt (Virus Removal Guide)

Alpha Crypt (Alpha Crypt virus, AlphaCrypt) is a new variant of TeslaCrypt ransomware that has recently been released. Alpha Crypt ransomware has a few differences from the original TeslaCrypt virus, including the process it uses to encrypt personal files. Alpha Crypt ransomware, like most ransomware, will infect a computer system, encrypt files on the computer, and demand a ransom using online currencies, such as BitCoin to obtain a private generated key and recover the files it encrypted.

Alpha Crypt

When Alpha Crypt first infects a computer system it will connect to a Command & Control server and send the victim’s unique identifier and the campaign ID. The Command & Control server will then send back various ransom notes and files, including instructions to allegedly decrypt files found in notes likely titled: RECOVERY_FILE.txt and HELP_TO_SAVE_FILES.txt.

Alpha Crypt virus

Alpha Crypt will then start to scan the infected computer’s hard drives for specific files and create a %AppData%\key.dat file that will be used store information about the decryption key, as well store all encrypted files. This ransomware encrypts a lot of personal files. The extensions that it targets are listed below:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

When a file is encrypted by Alpha Crypt ransomware it will change the file extension to .ezz. Obtaining the .ezz extension rather than being appointed the .ecc extension is one of the differences between old TeslaCrypt and new Alpha Crypt ransomware. Victims will not be able to access files encrypted by the Alpha Crypt virus. The ransomware may also delete Shadow Volume Copies of files so that victims won’t be able to recover encrypted files.

When the encryption has finished, the ransomware will change the desktop wallpaper to the %Desktop%\HELP_TO_SAVE_FILES.bmp ransom file and will continue to automatically open the %Desktop%\HELP_TO_SAVE_FILES.txt ransom note file. The ransomware will also open the Alpha Crypt program (application, interface) that contains ransom notes, links, and other information on how you can pay pay the ransom and decrypt your files. Information displayed by the application is listed below.

Alpha Crypt virus Examples:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show encrypted files" Button to view a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated on this computer. To decrypt files you need to obtain the private key.
Alpha Crypt
All your important files are encrypted.
At the moment, the cost of private key for decrypting your files is 0.7 BTC ~=154 USD.
Yout Bitcoin address payment:
Try to decrypt your files here (working only with TorBrowser)

How does Alpha Crypt virus get onto a computer?

Alpha Crypt is known to be distributed through the Angler Exploit Kit. Malicious files that contain the exploit kit and spread Alpha Crypt ransomware can be found in prohibited torrent files, malicious advertisements, and on websites that host malware. However, Alpha Crypt ransomware in particular is usually distributed through fraudulent email message content and email attachments.

How to remove Alpha Crypt (Removal Instructions)

We recommend that you write down the toll free number below in case you run into any issues or problems while removing this infection. Our techs will kindly assist you with any problems.

1-888-986-8411
if you need help give us a call

1. Download and install the free or full version of Malwarebytes Anti-Malware software. The full version enables real-time protection to block malware and unwanted programs from infecting your computer, while the free version is just a free scan and removal tool.

[button link=”https://store.malwarebytes.org/342/cookie?affiliate=23046&redirectto=http%3a%2f%2fdownloads.malwarebytes.org%2ffile%2fmbam%2f&redirecthash=79CD12ECAB939D32967B5D05C6C86E32″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#0015ff” hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”true”]Download Malwarebytes Free[/button][button link=”https://store.malwarebytes.org/342/?affiliate=23046&scope=checkout&cart=139724″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#0015ff” hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”true”]Buy Premium Now[/button]

2. Open the Malwarebytes Anti-Malware program.

Malwarebytes

3. Click the large Scan Now button or visit the “Scan” tab to manually run a scan.

Malwarebytes 2

4. Once the malware scan is complete, click the Remove Selected button and reboot your computer.

If you are still having issues with malware it is recommended to download and install a second opinion scanner such as HitmanPro by Surfright to eradicate existing malicious files and automatically repair corrupted settings.

User accounts

Ransomware usually infects 1 user account on Windows systems at a time. Here are some tips to remove ransomware by using different user accounts.

  1. Log into an account not affected by malware (with administrative rights) and perform a scan with reputable software to detect and remove malware.
  2. You can also delete the infected account.
  3. Other options include creating a new user account to remove malware if only 1 Window’s user account is present on the computer system.

Internet/network issues

Safe Mode With Networking can be used to access the Internet for updates, drivers, removal software, or other files if internet and network connectivity is compromised.


Sean Doyle

http://Botcrawl.com

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Internet Security, Web Spam, and Online Marketing.