Jump to content
Login new information ×
Login new information

New Alfa, or Alpha, Ransomware from the same devs as Cerber

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

Security researcher BloodDolly recently discovered a new file encrypter called Alfa Ransomware, or Alpha Ransomware, which is from the developers of Cerber. As BloodDolly is still currently analyzing this ransomware, not much is known about this ransomware at this time. Preliminary reports, though, indicate that files encrypted by Alfa Ransomware are not decryptable.

 

For those who wish to discuss or need help with Alfa Ransomware, we have created a dedicated Alfa Ransomware Help and Support topic in our forums.

Is it Alfa Ransomware or Alpha Ransomware?

This ransomware currently utilizes two different names in the ransom note and the TOR payment site. For example, in the ransom note, as shown in the next section, the ransomware will call itself Alpha Ransomware.  While in the TOR payment site, it refers to itself as Alfa Decryptor with its own custom logo as shown below. Based on the development of a actual Alfa logo, my guess is that it will ultimately be called Alfa Ransomware.

 

Alfa Payment Header

How Alfa Ransomware Encrypts a Victim's Files

It is currently unknown how Alfa Ransomware is distributed, but when infected the ransomware will scan all the local drives for certain file types.  When it finds a targeted file extension it will encrypt the file and append the .bin extension to the encrypted file.  For example, test.jpg will be encrypted to the filename test.jpg.bin.  The file types currently targeted by the Alfa Ransomware are: 

.c, .h, .m, .ai, .cs, .db, .nd, .pl, .ps, .py, .rm, .3dm, .3ds, .3fr, .3g2, .3gp, .ach, .arw, .asf, .asx, .avi, 
.bak, .bay, .cdr, .cer, .cpp, .cr2, .crt, .crw, .dbf, .dcr, .dds, .der, .des, .dng, .doc, .dtd, .dwg, .dxf, .dxg, 
.eml, .eps, .erf, .fla, .flvv, .hpp, .iif, .jpe, .jpg, .kdc, .key, .lua, .m4v, .max, .mdb, .mdf, .mef, .mov, .mp3, 
.mp4, .mpg, .mrw, .msg, .nef, .nk2, .nrw, .oab, .obj, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, 
.p7c, .pab, .pas, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .pps, .ppt, .prf, .psd, .pst, .ptx, .qba, .qbb, .qbm, 
.qbr, .qbw, .qbx, .qby, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srt, .srw, .svg, .swf, .tex, .tga, 
.thm, .tlg, .txt, .vob, .wav, .wb2, .wmv, .wpd, .wps, .no, .xlk, .xlr, .xls, .yuv, .back, .docm, .docx, .flac, .indd, 
.java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .xlsx

While encrypting the files, it will also create two ransom notes called README HOW TO DECRYPT YOUR FILES.HTML and README HOW TO DECRYPT YOUR FILES.TXT in the Documents and Desktop folders. These ransom notes contain information on what has happened to the victim's files, links to the TOR payment sites, and a victim's unique ID that must be used to login to the payment site.

Portion of the Ransom Note
Portion of the Ransom Note

The current TOR payment sites for the Alfa Ransomware are http://alfadecrfgqkcw6m.onion and http://2uxzf2mxe23f3clc.onion. Please note that these are TOR sites and will not work within a normal browser.

 

The Alfa Ransomware will also create a autorun for the malware executable so that it is started every time a user logs into Windows. The autorun will be called MSEstl and the executable will be located in %UserProfile%\AppData\Roaming\Microsoft\Essential\msestl32.exe.

 

Finally, the ransomware will delete the Shadow Volume Copies on the victim's computer so that they are unable to use them to recover their unencrypted files.

The Alfa Decryptor Site

When a user goes to the TOR payment site, they will be shown a login form. In this form, they need to insert the victim's ID listed in the ransom note.  Once they login they will be presented with the Alfa Decryptor page as shown below. This page allows them to decrypt 1 file for free, find the ransom amount, the bitcoin address they must send the payment to, and the ability to check for payment status.

 

Once the payment has been completed, a decryptor will be made available to them on this page.

Portion of the Alfa Decryptor Page
Portion of the Alfa Decryptor Page

Also included in the Alfa Decryptor site is a Frequent Asked Questions page. This page is shown below.

FAQ Page
FAQ Page

As already stated, unfortunately at this time there is no way to decrypt files encrypted by Alfa Ransomware for free. If anything changes, we will be sure to post about it on the site. For those who wish to discuss this information or receive support, you can use our Alfa Ransomware Help and Support topic.

Files associated with the Alfa Ransomware: 

%UserProfile%\AppData\Roaming\Microsoft\Essential\msestl32.exe
README HOW TO DECRYPT YOUR FILES.HTML
README HOW TO DECRYPT YOUR FILES.TXT

Registry entries associated with the Alfa Ransomware: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSEstl	%UserProfile%\AppData\Roaming\Microsoft\Essential\msestl32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\[random]

 Article source

 

Link to comment
Share on other sites
  • Replies 2
  • Views 826
  • Created
  • Last Reply
vissha

vissha

Posted
Posted

Cerber Devs Create New Ransomware Called Alfa

 

cerber-devs-create-new-ransomware-called

 

Ransomware features strong encryption, can't be cracked

 

Quote

The developers behind the Cerber ransomware have released their latest creation upon the Interwebs, and it's a new ransomware variant named Alfa ransomware, Bleeping Computer reported last week.

 

Cerber is one of today's most active and widespread ransomware families, alongside Locky, CryptXXX, and Jigsaw. Security researchers did not crack its encryption, so it is quite odd to see the group creating a new and different version without an apparent reason.

 

Alfa ransomware is currently undecryptable

 

Since Alfa is new on the scene, security researchers still don't know how this threat spreads, but they know that Alfa is linked to Cerber's devs and that it features a rock-solid encryption routine that currently can't be broken.

 

Just like most ransomware families today, Alfa encrypts users files and appends a file extension at the end. You can identify Alfa ransomware infections by the extra .bin extension it adds to encrypted files.

 

The ransomware targets 142 different file types, and after the encryption process ends, it drops text and HTML-based ransom notes on the user's Desktop and other locations.

 

Alfa apparently rebranded from Alpha

 

The ransom note is improperly worded and may need some work. Also, the ransom note uses the "Alpha" term instead of Alfa, which is used only on the Tor-based website where users are told to go to decrypt their files.

 

The name Alfa ransomware will likely be used in future versions because there was already an Alpha ransomware that appeared at the start of May 2016, for which security researchers created a free decrypter.

 

The Cerber devs would likely want to distance themselves from the term "Alpha ransomware" as much as possible since they may not want victims thinking they can recover files after googling the ransomware's name. Alfa asks 1 Bitcoin (~$650) from each infected user.

 

cerber-devs-create-new-ransomware-called

 

Source

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...