I believe someone has put Alpha Crypt virus on our network! Any ideas how to get rid of it?!:)

Hi guys

We've had one of our fileservers running on Windows 2012 infiltrated with an Alpha Crypt virus. Around 50% of our Excel files have had their extensions turned into .exx.

Can anybody help out ways of getting rid of this and restoring extensions back to normal?! This is a live environment and I am remote to this site.

I'm currently running AV on there as I write this.

Any help would be amazing peeps.

Thanks
Yashy



You have TeslaCrypt not AlphaCrypt due to the file extension.

Your best bet is to restore from backup, however here are some methods you can try.

http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information



You have TeslaCrypt not AlphaCrypt due to the file extension.

Your best bet is to restore from backup, however here are some methods you can try.

http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information



You will have to find the source of the infection and then clean it out manually.
Here are some instructions on how to do that as well.

http://www.im-infected.com/virus/remove-alpha-crypt-virus-removal-guide.html



Thanks guys. I'm trying my best to keep things cool, as this could be quite drastic. But we do have nightly cloud backups which is a good thing and I may have to restore.

I do have a quick question about this though. The file server has got two folders on it (Folder1 and Folder2) on the same drive, filled with files. Both are shared. However, one folder is completely okay. The other one is infected entirely head to bottom with .exx files.

The folders above are mapped out by department. So, folder 1 is mapped out to one department. Folder 2 (the infected one) is mapped out to another.

We ran AV, Malwarebytes on the server itself and it came back with nothing. Is it highly likely that a user had their machine infected with this virus and had the virus spread from their PC on to their 'mapped drive'?



The servers themselves are practically never infected (unless it is a terminal server), you'd have to actually browse the web with it, or read emails on the server itself, or some devices like synology NAS got infected through a certain virus because there was a security hole in the OS that got exploited. But that has long been patched so if your server is or NAS is up-to-date with patches there should be no problems.

Most ransomware starts on the workstations, and then all data it can reach gets encrypted, including mapped drives and data saved in the cloud. Newer versions seem also to be able to encrypt unmapped drives, provided the client PC can reach them.

Most such ransomware is automatically removed from the PC that was infected, once it has finished with the encryption and the ransom note has appeared. So if anyone saw such a note, you will know which PC it was. You can still scan it using the diverse tools to make sure it is clean. If no ransom note yet appeared, it means that the virus hasn't finished yet, and then you could, if you find the infected PC, recover the data as there usually is a temporary folder where the original data is stored, and also the shadowcopies should still hold the original data. Once the virus is finished, it clears all that.



I found the PC!! There's a txt file that says 'HELP_TO_SAVE_FILES.txt'.

But it is running at snail speed.

Do you think I can find the 'key.dat' file on that PC? So that I can decrypt everything?

Share this

Related Posts

There was an error in this gadget