Recently, the BloodDolly security experts found out a new file encrypter called Alfa Ransomware, or Alpha Ransomware, which comes from the developers of Ceber. Due to the fact that BloodDolly is still analyzing the newly-found ransomware, there is not much information about it yet. Nevertheless, the preliminary reports show that files encrypted by Alfa Ransomware are not decryptable.
Currently, Alfa Ransomware or Alpha Ransomware, utilizes two different names in the ransom note and the TOR payment website. For instance, in the ransom note, the ransomware will call itself Alpha Ransomware. At the same time, in the TOR payment website, it refers to itself as Alfa Decryptor with a custom logo of its own.
Presently, it is still unknown how Alfa Ransomware is distributed, but when infected the ransomware will scan all the local drives for certain file types. After it finds a targeted file extension, it will encrypt the file and append the .bin extension to the encrypted file. For einstance, mypicture.jpg will be encrypted to the filename mypicture.jpg.bin.
Currently, the file types targeted by the Alfa Ransomware are:
.c, .h, .m, .ai, .cs, .db, .nd, .pl, .ps, .py, .rm, .3dm, .3ds, .3fr, .3g2, .3gp, .ach, .arw, .asf, .asx, .avi, .bak, .bay, .cdr, .cer, .cpp, .cr2, .crt, .crw, .dbf, .dcr, .dds, .der, .des, .dng, .doc, .dtd, .dwg, .dxf, .dxg, .eml, .eps, .erf, .fla, .flvv, .hpp, .iif, .jpe, .jpg, .kdc, .key, .lua, .m4v, .max, .mdb, .mdf, .mef, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .nef, .nk2, .nrw, .oab, .obj, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, .p7c, .pab, .pas, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .pps, .ppt, .prf, .psd, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srt, .srw, .svg, .swf, .tex, .tga, .thm, .tlg, .txt, .vob, .wav, .wb2, .wmv, .wpd, .wps, .no, .xlk, .xlr, .xls, .yuv, .back, .docm, .docx, .flac, .indd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .xlsx
While encrypting the files, it will also create two ransom notes called README HOW TO DECRYPT YOUR FILES.HTML and README HOW TO DECRYPT YOUR FILES.TXT in the Documents and Desktop folders. These ransom notes contain information on what has happened to the victim’s files, links to the TOR payment sites, and a victim’s unique ID which must be used to login to the payment website.
The current TOR payment websites for the Alfa Ransomware are http://alfadecrfgqkcw6m.onion and http://2uxzf2mxe23f3clc.onion. These websites will not work within a normal web browser. In addition, Alfa Ransomware will create an autorun for the malware executable so that it is started every time a user logs into Windows. The name of the autorun will be MSEstl and the executable will be located in %UserProfile%\AppData\Roaming\Microsoft\Essential\msestl32.exe. At last, the ransomware will delete the Shadow Volume Copies on the victim’s computer so that they are unable to use them to recover their unencrypted files.
When a user goes to the TOR payment website, he will be shown a login form. In this form, they need to insert the victim’s ID listed in the ransom note. Once they login, they will be presented with the Alfa Decryptor page. This page allows them to decrypt 1 file for free, find the ransom amount, the bitcoin address they must send the payment to, and the ability to check for the payment status.