Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alpha Ransomware (.encrypt) Support Topic - Read Me (How Decrypt) !!!!.txt


  • Please log in to reply
11 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 28 April 2016 - 10:21 AM

A new ransomware was discovered that demands the ransom using $400 in iTunes gift cards. Files are encrypted with ".encrypt", and the ransomnote "Read Me (How Decrypt) !!!!.txt" is dropped in each directory that was affected.

Thankfully, files encrypted by this ransomware can now be decrypted for free. I have created a decrypter, which can be downloaded from this URL:

http://www.bleepingcomputer.com/download/alphadecrypter/

To extract the decryptor, you need to use the password: false-positive. A password needed to be added as Google was flagging the file as malicious due to false positives.

The ransom note contains the following text.
 

Greetings,
We'd like to apologize for the inconveniences, however, your computer has been locked. In order to unlock it, you have to complete the following steps:
 
1. Buy iTunes Gift Cards for a total amount of $400.00
2. Send the gift codes to the indicated e-mail address 
3. Receive a code and a file that will unlock your computer.
 
Please note:,
- The nominal amount of the particular gift card doesn't matter, yet the total amount have to be as listed above.
- You can buy the iTunes Gift Cards online or in any shop. The codes must be correct, otherwise, you won't receive anything.
- After receiving the code and the security file, your computer will be unlocked and will never be locked again.
 
Sorry for the inconveniences caused.

 
Due to a bug in the code, the email addresses are not listed, but can be extracted from the malware.
 
 
criptote@hmamail.com
referas@hmamail.com
terder@hmamail.com
utera@hmamail.com
criptotak@hmamail.com
The following image is set as the background for the victim.
 
RNvnVPcg.jpg
 
The following extensions are targeted.
 

.3ds, .3fr, .3pr, .ab4, .ac2, .accdb, .accde, .accdr, .accdt, .acr, .adb, .agd1, .ai, .ait, .al, .apj, .arw, .asm, .asp, .aspx, .awg, .backup, .backupdb, .bak, .bat, .bdb, .bgt, .bik, .bkp, .blend, .bmp, .bpw, .c, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmd, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .css, .csv, .dac, .db, .db3, .dbf, .db-journal, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .der, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dwg, .dxb, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fpx, .fxg, .gif, .gray, .grey, .gry, .h, .h, .hbk, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iiq, .incpas, .jar, .java, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdb, .mdc, .mef, .mfw, .mmw, .moneywell, .mos, .mpg, .mrw, .myd, .ndd, .nef, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx1, .nx2, .nyf, .odb, .odf, .odg, .odm, .odp, .ods, .odt, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pat, .pcd, .pdf, .pef, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps, .psafe3, .psd, .ptx, .py, .ra2, .raf, .raw, .rdb, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .sav, .sd0, .sd1, .sda, .sdf, .sldm, .sldx, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .txt, .vb .vbs, .wb2, .x3f, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra

 
Analysis of this ransomware is still underway, and more information will be released later.
 
If you are a victim of this ransom, do not pay the ransom. Please post here for assistance.

Edited by Grinler, 28 July 2016 - 09:58 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 02 May 2016 - 04:37 AM

we must add that the blocked with the launch of the Task Manager

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System]
"DisableTaskMgr" = dword: 00000001

---------------

@Demoslay335,

 

decoder only works in the active system, which has been encrypted alfa_ransomware?

corrects whether the decoder key associated with the lock Task Manager or it is not the most important thing in this case?



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 02 May 2016 - 08:07 AM

Correct, task manager is disabled by the malware. Usually MalwareBytes and other cleanup tools will pickup on that.

We may have forgotten to mention the decrypter does have to be ran on the same system that was infected. Don't want to publicly reveal the flaw yet, but it will work on the same computer even if the system is reloaded.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 02 May 2016 - 08:25 AM

I agree. decoder task - to decrypt the files, and fixes in the system registry and deleting the bodies encoder - a task for anti-virus tools. I usually use in such cases uVS. universal Virus Sniffer. it perfectly shows off the keys start encoders.

decoder worked perfectly. All encrypted files after alfa_ransomware were correctly restored.


Edited by al1963, 02 May 2016 - 08:26 AM.


#5 Ironwing

Ironwing

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 10 May 2016 - 06:13 AM

Hello,

 

One of our computers at the administration just got a ransomware attack (few days ago) and it's similar to the Alpha Ransomware but the AlphaDecrypter can't solve the problem.

The encrypted files extension is .encrypt and the txt files (which attached to the folders) has the same name but in the file the text is different. 

I tried to identify it with ID Ransomware website. The website said it's the Alpha Ransomware and that's why I tried AlphaDecrypter. So I would like to ask is there any chance to decrypt our files or it is maybe a totally different ransomware.

 

Thanks in advance!
 

 

Read Me (How Decrypt) !!!!.txt  :

 

   Your personal files are encrypted.
 
Your documents,photos,databases and other important files have been encrypted with strongest encryption and unique key,generated for this computer.
 
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
 
Open site 
 
torproject.org/download/download-easy.html.en , download and install Tor Browser.
 
Your files are encrypted!
 
Click on the link for decrypt  7oi7hrcrc4i5riel.onion/key.php?id=86587F22015204DBC72B3E0AAD38E9D9
 
 

Edited by Ironwing, 10 May 2016 - 06:39 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 10 May 2016 - 08:34 AM

We've found this ransomware may be part of a kit, so it's possible modifications were made by another actor. Was the background of the computer changed to the same image as the article?

 

Any chance you have the malware executable? It can be submitted here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 dreamaholic1356

dreamaholic1356

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 10 August 2016 - 08:48 PM

I just encrypt on 9/8/2016. and alll my artwork are encrypted..... I still can't decrypt, all files are in same files but all changed into README file name....anyone can help??? crying,thanks in advance



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 11 August 2016 - 04:18 AM

README.TXT or Read Me (How Decrypt) !!!!.txt?

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 dreamaholic1356

dreamaholic1356

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 11 August 2016 - 06:44 AM

this is really a good news, I am sure to make a donation after your kindly help, Million thanks! I will sent now.



#10 dreamaholic1356

dreamaholic1356

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 11 August 2016 - 06:47 AM

This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

#11 dreamaholic1356

dreamaholic1356

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 11 August 2016 - 06:50 AM

after uploaded an encrypted file in jpg   This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: README.txt
  • sample_bytes: [0x0 - 0x64] 0xF42D240F12DF4D2312DF4D2312DF4D2312DF4D23F42D240FF42D240FF42D240F


#12 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 11 August 2016 - 08:16 AM

after uploaded an encrypted file in jpg   This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: README.txt
  • sample_bytes: [0x0 - 0x64] 0xF42D240F12DF4D2312DF4D2312DF4D2312DF4D23F42D240FF42D240FF42D240F

 

 

That is an identification of CrypMic, and will definitely be accurate since it is a unique hex pattern left by that ransomware. There is no way to decrypt I'm afraid, just as ID Ransomware will state. You can find more information in the support topic the site links you to.

 

 

The ransomware this topic is about honestly was not very widespread, and it probably dead, so you were definitely not hit by Alpha is you were just recently infected.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users