Alpha Crypt belongs to the ransom-ware virus family together with its predecessor Tesla Crypt. This article will deal with its method of operation and advice on how to handle recovering files and removing it from your system.
AlphaCrypt – overview and method of operation
Once it installs on your computer Alpha Crypt begins scanning all drive letters (including external HDDs, SSDs and Flash Drives) for eligible target formats – which are basically all files in which you might have anything valuable. Full list for reference:
Once that phase is complete it begins encrypting each of those files. This is a slow process – it might take a while depending on data size and your CPU power and you will definitely feel a slowness to your computer. As soon as a file is successfully encrypted the original is immediately deleted, including the Shadow Volume Copy (which could be used by file recovery programs). Note that this is new to Alpha Crypt – it was possible to recover files deleted by TeslaCrypt but not with the newer Alpha Crypt. Once the virus runs out of targets to encrypt it will present itself to you demanding the ransom.
To pay or not to pay
Before making this decision make sure you are really affected with Alpha Crypt. Go to a random directory including your encrypted files and check on the file extension. Alpha Crypt encrypted files end with .EZZ, while files hit by Tesla Crypt will end with .ECC and .EXX. If you are not dealing with .EZZ then you should switch to our guide about Tesla Crypt
Now for the difficult question of why you shouldn’t pay
- Its basically never a good idea to pay the extortionist. The hackers that made the virus will use the money to make an even BETTER virus with which to extort after a couple of months
- There is never a guarantee you’ll actually get your files back. Worse, a random error in the code might prevent you from decrypting the files even if the thieves play fare
- There’s always the possibility of anti-malware companies to develop a decryption tool in the future (like it happened with Tesla Crypt)
- The first ransom-ware viruses once demanded around 100$. These days the price goes up to 300$ or even 500$. These values will only go up in the future.
- Do not trust any messages that warn you of tampering with the encrypted files. There is no way for them to know when you do anything to the files, this is just a scarecrow to deter you from recovering your files on your own instead of paying them ransom
You should only EVER pay if these files are absolutely vital for you and you cannot afford to lose them at all. And only as LAST RESORT if the decryption utility provided in the removal guide somehow doesn’t work properly.
What about anti-malware programs, can they help?
Yes, they can. Having an anti-malware program installed would have prevented the infection in the first place saving you the whole trouble. They can also clean your computer throughly to make sure the virus is completely eliminated. What they can’t do, however, is decrypt your files for you – you will have to download an utility and do that yourself (read below)
What you should do once you discover the virus
First obviously is to remain calm and shut down the computer, especially if you discovered the virus before all your files were encrypted. Proceed to make a copy of all important information you have for safe keeping – to save all that is still non-encrypted or to have another fresh copy on which to run possible decryption programs. Then remove the virus, manually or via anti-malware tool. Then restore to a backup point. Your files will still be encrypted, but you might clean any extra viruses that came with Alpha Crypt.
How was I infected
Unfortunately this is a difficult question to answer. Unlike adware, which mostly relies on tricking the user to install it himself, Alpha Crypt might also target program vulnerabilities. Popular programs like Adobe Flash or Java are prime targets. The only thing the user can really do is keep Windows Updates up to date and avoid dangerous sites. Most importantly DO NOT INSTALL OR RUN .EXE FILES UNLESS YOU ARE ABSOLUTELY CERTAIN THEY ARE NOT VIRUSES.
How to Remove AlphaCrypt and Restore Files
1. First, you need to enter windows in safe mode. If you do not know how to do that, check how to do it in our guide on the subject here.
2 After you do this, there should be a file called TeslaCrypt/Cryptolocker/Alpha Crypt on your desktop. I want you to right click it and choose Show File Location.
3. In the new folder that opens up, you will find three files: key.dat, log and tltudnb. Copy key.dat somewhere and then delete the 3 files.
4. At this point, you need to try to retrieve your files. Here is a link to a decrypting tool you can use to do this. It should work specifically for TeslaCrypt. Bear in mind that there are no guarantees your files will be restored – this may or may not work:
http://labs.snort.org/files/TeslaDecrypt_exe.zip (pay no attention to the name – it works for AlphaCrypt as well)
5. It is possible you may not even need to perform the next steps. Just check if the registry is there. Click the windows button then type regedit in the search field.
6. There are lots of folders and registry keys to the left. I want you to carefully navigate and locate the following folder:
7. Once you are there delete the registry on the right titled crypto13 or something similar. If you have any problems or you are unsure you did everything right, reach out to us on our Google+ channel, and we will personally help you.
8 (Optional). We created a free PC optimization guide for users who just removed a virus. Feel free to check it out. Otherwise congratulations for removing this ransomware, and I hope everything works out for you.