Alpha Crypt

By CagedTech in Ransomware

Alpha Crypt, also known as AlphaCrypt and, incorrectly, as the Alpha Crypt Virus, is a ransomware infection that is used to take a victim's computer hostage. Alpha Crypt is a variant of Tesla Crypt (or TeslaCrypt), a relatively new ransomware threat. There are very few differences between Alpha Crypt, and its predecessor and they use nearly identical encryption algorithms and methods to carry out their attack. Alpha Crypt uses an attack pattern typical of these kinds of threats. Alpha Crypt attacks may have the following basic phases:

  1. Alpha Crypt may infect a computer using typical threat delivery methods. Some examples of methods used to spread Alpha Crypt may include other threat infections, social engineering, attack websites and infected email attachments. Alpha Crypt has been associated with the Angler Exploit Kit as well.
  2. Once Alpha Crypt has infected the targeted PC, Alpha Crypt encrypts files on the victim's computer. Alpha Crypt will only encrypt files with specific extensions, often associated with videos, documents, pictures, game saves or documents used in different professions.
  3. Once the victim's files have been encrypted, Alpha Crypt demands a ransom using cryptocurrencies (because of their anonymous nature). In most cases, Alpha Crypt will demand payment of its ransom through BitCoin. Once the victim pays the ransom, they are provided with a privately generated key that allows the recovery of the encrypted files. Unfortunately, it is nearly impossible to decrypt the encrypted files automatically without this key. Because of this, computer users should back up all important files in order to recover from these types of attacks and other disasters.

How the Alpha Crypt Attack is Carried Out

As soon as Alpha Crypt enters the victim's computer, Alpha Crypt establishes a connection with its Command and Control server. Alpha Crypt sends a unique identifier and campaign ID for the victim's computer. Then the server sends Alpha Crypt the files containing the ransom note for the attack. These ransom notes are contained in text files that may have different names. Some of these files may be named either HELP_TO_SAVE_FILES.txt or RECOVERY_FILE.txt.

Alpha Crypt then carries out its attack by scanning the infected hard drive and detect all files containing the extensions in Alpha Crypt's list of targets. Alpha Crypt targets files with the following file extensions:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Files encrypted by Alpha Crypt will have their extension changed to .ezz (Tesla Crypt would change the file's extension to .ecc instead.) Unfortunately, Alpha Crypt may also delete Shadow Volume copies of any files Alpha Crypt finds, meaning that this method to recover encrypted files is no longer available. Besides depositing its ransom note, Alpha Crypt will also change the victim's Desktop image into a ransom file image containing the same instructions.

The following are examples of ransom messages associated with Alpha Crypt:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show encrypted files" Button to view a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated on this computer. To decrypt files you need to obtain the private key.

Alpha Crypt
All your important files are encrypted.
At the moment, the cost of private key for decrypting your files is 0.7 BTC ~=154 USD.
Your Bitcoin address payment:
Try to decrypt your files here (working only with TorBrowser)

File System Details

Alpha Crypt may create the following file(s):
# File Name Detections
1. %Desktop%\HELP_TO_SAVE_FILES.bmp
2. %Desktop%\HELP_TO_SAVE_FILES.txt


Most Viewed