ALVIN Ransomware
The ALVIN Ransomware is a threatening crypto locker that, so far, has not been linked to any pre-existing ransomware family. If the ALVIN Ransomware manages to infiltrate the targeted computer successfully, it will initiate its encryption process. As a result, users will be locked out of the compromised device effectively due to all of the files stored on it being encrypted with an uncrackable encryption algorithm. Every encrypted file will have its name changed significantly to match a complex pattern encoded in the threat - [Email of the hackers].[Unique ID assigned to the victim].[Original Filename].[Ransomware Extension]. In the case of ALVIN, the email address placed in the filenames is 'rimon.argan@gmail.com,' while the new file extension is '.ALVIN.' The criminals behind the threat leave instructions for their victims in the form of text files named 'HOW TO RECOVER ENCRYPTED FILES.txt,' which are dropped in every folder containing encrypted data.
ALVIN File Encryption
The ALVIN ransomware gets to work once it infects the computer. The virus uses complex cryptographic algorithms to encrypt files on the computer. The virus changes the file name to include a new ALVIN file extension. For example, a document called doc1.docx would become doc1.docx.ALVIN.
Given the change to the filename, you might think changing the name back to normal would be enough. This isn’t the case, however, as the files are still fully encrypted. Changing the filename could potentially cause permanent damage to the computer, so it isn’t recommended.
According to the ransom note, if the affected users want to get their files back, they have to send a ransom to the criminals in exchange for a decryption tool. The note doesn't specify the exact amount demanded by the hackers. The primary email address left for communication is the one found in the names of the encrypted files - 'rimon.argan@gmail.com,' but if the victims do not get a response within 24 hours, they are supposed to send a message to the secondary email at 'poeasws@protonmail.com.' One file that is no bigger than 1MB can be attached to be decrypted for free. To further push their victims into initiating communication, the criminals threaten that the decryption key necessary for the restoration of the data will be deleted after a week.
The full text of the ransomware note delivered by the ALVIN Ransomware is:
'ALVIN Ransomware" Your unique ID:"-"
===========================
All personal files on your computer are encrypted!
===========================
TEST OUR TOOL FIRST:
Before you make a payment you should test our tool first for decrypting your data.
Before paying to send us up to 1 file for free decryption.
The total size of the file must be less than 1Mb (the file should not be important to you).
===========================
Don't worry, you can restore all your files.
Without the original key recovery is impossible.
If you want to decrypt your files, you have to pay in Bitcoin.
The price depends on how fast you write to us.
If you want to restore files, write us to the email: "rimon.argan@gmail.com"
It is in your interest to respond as soon as possible to ensure the restoration of your files,
Because we won't keep your decryption keys at our server more than one Week because of our security.
===========================
Only in case you do not receive a response from the first email address
Withit 24 hours, please use this alternative email adress: "poeasws@protonmail.com"
===========================
You can buy bitcoin from here:
hxxps://localbitcoins.net/buy_bitcoins
hxxps://libertyx.com/
hxxps://www.coinmama.com/buy
-You can find other places to buy Bitcoins and beginners guide here:
hxxps://www.coindesk.com/information/how-can-i-buy-bitcoins
===========================
CAUTION!
1-Using other tools could corrupt your files, in case of using third party software
We don't give guarantees that full recovery is possible.
2-Please do not change the name of files or file extension if your files are important to you!'
Should You Pay the Ransom?
As the message explains, there is no way to get your data back without paying the ransom. The note describes how a victim can purchase bitcoin and recover their files. However, malware researchers recommend that you don’t pay the ransom. The truth is that there is no guarantee the attackers will provide the decryption they claim to have. There’s also no guarantee that the decryption tools would work.
While there is no way to decrypt your files, that doesn’t mean you can’t get them back. Experts recommend using an external backup to restore the data on your computer. The more backups you have, the better. Try to keep at least one external hard drive and one cloud data backup to be safe. If you don’t have an external hard drive, you could still use an internal backup and data recovery software to get your computer back to normal. This option may not be possible, however, because of how ransomware works. One nasty trick of ALVIN and its ilk is that they remove Shadow Volume Copies of data. These are the backups used by recovery programs. It may prove difficult, if not impossible, to restore your computer without them.
