Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaCrypt ransomware changes its name to Alpha Crypt


  • Please log in to reply
96 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,066 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 AM

Posted 30 April 2015 - 04:46 PM

A guide on TeslaCrypt and Alpha Crypt is now available at this link:

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

This guide contains all known information about these ransomware.


 

Over the past couple of days the TeslaCrypt ransomware has changed its name to Alpha Crypt with only a few noticeable differences. Recently we had heard about a new ransomware that was similar to TeslaCrypt but was not able to find an installer. It wasn't until today, thanks to Cody Johnston and http://malware-traffic-analysis.net that we were able to get a sample of this infection. After analyzing it and its associated TOR payment site, we can see that Alpha Crypt is the same as TeslaCrypt.
 

alphacrypt-application.jpg


According to Malware-traffic-analysis, Alpha Crypt is being distributed through the Angler Exploit Kit. When installed, Alpha Crypt will scan your computer's drive letters for data files that match certain file extension. When a targeted file is found, it will encrypt it and append the .ezz extension to it. The use of the .ezz extension rather than the .ecc extension is one of the differences between Alpha Crypt and TeslaCrypt. The file types targeted by Alpha Crypt are:
 
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
For the most part, the targeted extensions are the some with some additions and removals. During the encryption process it will create the %AppData%\key.dat file and store information in the key. We are unsure at this time if the information stored in this file can be used to decrypt encrypted files like it could for TeslaCrypt. It will also store a list of all encrypted files in the %AppData%\Log.html file.

When the encryption has finished, it will change your wallpaper to the %Desktop%\HELP_TO_SAVE_FILES.bmp ransom note and then open the %Desktop%\HELP_TO_SAVE_FILES.txt ransom note. Finally it will open the Alpha Crypt application shown above. The Alpha Crypt application and ransom notes contain links and information on how you can pay pay the ransom to decrypt your files.

When you access the decryption site, you will be greeted with a site that is identical to the one used by TeslaCrypt. The only difference is that the name of the ransomware has changed, the title of the site has been changed to AlphaTool Decryption Service, and that PayPal MyCash cards are no longer a payment option. Like TeslaCrypt the Alpha Crypt site offers a free decryption of one file and a support page where you can communicate with the developers. The current ransom cost is .7 bitcoins.
 

alpha-tool-decryption-service.jpg


As this is a fairly new variant it is unknown whether the existing decryption techniques for TeslaCrypt will work with Alpha Crypt. As soon we know, we will post the info here.


Known Alpha Crypt Ransomware Files:
%AppData%\<random>.exe
%AppData%\log.html
%AppData%\key.dat
%Desktop%\HELP_TO_SAVE_FILES.txt
%Desktop%\HELP_TO_SAVE_FILES.bmp
%Desktop%\Save_Files.lnk
%Documents%\RECOVERY_FILE.TXT
Known Alpha Crypt Ransomware Registry keys:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AVSvc	%AppData%\<random>.exe


BC AdBot (Login to Remove)

 


#2 nige78

nige78

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 30 April 2015 - 11:33 PM

I have gone through the process of removing the virus, paying the bitcoins ($760)then entered the keys they gave me into the decryption software that they also gave me & ran the software.

 

It looked like it was decrypting all the files, but they are still unreadable!? All Word & PDF's won't open and give an error that says the files are not supported or the files are damaged/corrupted.

 

Does anyone have any suggestions with the corruption/damage side of things?



#3 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:09:43 PM

Posted 01 May 2015 - 12:21 AM

First Alphacrypt topic appears here now....


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#4 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:01:13 AM

Posted 01 May 2015 - 01:50 AM

 3 Days to pay! now im upping my security a bit more


Robert James Crawley Klopp


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 17,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:43 AM

Posted 01 May 2015 - 06:57 AM

The URL to Malware-Traffic website redirects to this thread.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,066 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 AM

Posted 01 May 2015 - 08:51 AM

Fixed.

#7 rp88

rp88

  • Members
  • 2,711 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:43 PM

Posted 01 May 2015 - 01:19 PM

What is it with crooks suddenly changing the name of their foul tools? there seem to have been a few incidences of changing names this wekk.

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 17,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:43 AM

Posted 01 May 2015 - 01:22 PM

Because "progress" I imagine, or they want to "start fresh". Even thought saying that sounds really stupid.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 NeoPoe

NeoPoe

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 01 May 2015 - 03:43 PM

So, I work at a hospital and someone in our network was nice enough to get this on their machine.  It encrypted the contents of a public folder that holds critical information.  (I did not set up the backup scheme, as it was done before I started, and we were not able to restore from backup).

 

We were able to remove the malware from the original machine, but have not yet been able to decrypt the files.  Anyone found a solution for this yet?



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 17,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:43 AM

Posted 01 May 2015 - 04:22 PM

If nothing was posted by Grinler about decryption, it most likely means that nothing was found yet. Since it's "quite" new, I guess that Fabian, Grinler and/or Nathan are probably working on it and as soon as they find a way to decrypt the files, they'll let the users here know. For now, you can still try to recover the files using the "Previous Version" of the encrypted files, assuming that the command to delete the Shadow Volume Copy failed or wasn't ran at all. Otherwise, you can try data recovery software, even thought none of them guarantee that they'll recover everything, if not anything at all. Three good ones are:
  • EaseUS Data Recovery Wizard;
  • Recuva by Piriform;
  • GetDataBackNTFS;
In the future, maybe it would be a good idea to implement a solution to protect against Cryptoware on the network, like CryptoPrevent (from Foolibleep), HitmanPro.Alert (from SurfRight) and/or CryptoMonitor (from Nathan, our DecrypterFixer). All of these products have a "corporate" solution that can be used by Entreprise, Companies, etc. If you need the links to these products (two of them are on BleepingComputer with Reps), let me know.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 xbill

xbill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 01 May 2015 - 06:04 PM

It may look the same, but it must encrypt files differently.  The Cisco Tesla Decrypter tool looks for ecc files and ignores ezz files.  If you rename the .ezz files to .ecc, the decrypter tool claims success, but the files are corrupted, or still encrypted.  

 

I'm helping someone who had all her files encrypted.  I tried the TeslaDecrypter tool.  It said it found the master key and said "Success!" but it didn't decrypt the files - they are unreadable, corrupted, or still encrypted.

 

Anyone know if Cisco Tesla group is analyzing this new variant and working on an updated version of the decrypter?


Edited by xbill, 01 May 2015 - 06:04 PM.


#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,066 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:43 AM

Posted 01 May 2015 - 06:59 PM

It may look the same, but it must encrypt files differently.  The Cisco Tesla Decrypter tool looks for ecc files and ignores ezz files.  If you rename the .ezz files to .ecc, the decrypter tool claims success, but the files are corrupted, or still encrypted.  
 
I'm helping someone who had all her files encrypted.  I tried the TeslaDecrypter tool.  It said it found the master key and said "Success!" but it didn't decrypt the files - they are unreadable, corrupted, or still encrypted.
 
Anyone know if Cisco Tesla group is analyzing this new variant and working on an updated version of the decrypter?


I already sent the sample to the developer of TeslaDecrypt. I know he's swamped, so waiting to hear back.

#13 NeoPoe

NeoPoe

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 01 May 2015 - 09:27 PM

I was provided the Cisco tool from our McAffee guy. We had the same lack of success.

#14 Tstroke

Tstroke

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 May 2015 - 02:29 PM

I now have the same problem as of today. All personal files have .ezz extension.

I found a removal tool from PCRISK called sh-remover.exe. Is this file safe or have you heard of it?

 

T



#15 joeyjr

joeyjr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 04 May 2015 - 03:12 PM

hi friends, i have same problem, all my files are *.ezz and TeslaDecrypter say success!! but not work.

 

Must pay ? please help me.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users