Alpha Ransomware

What is Alpha Ransomware?

The researchers say that Alpha Ransomware was created by the same developers who released Cerber Ransomware. This time, they ask users to pay 1.5 Bitcoins for the decryption tool. If you convert this sum to US dollars, it would be approximate $996 at the moment. Since the ransom is rather large and there are no reassurances, we do not recommend you to put up with these demands. Instead, we offer you to get rid of the malware manually. Thus, if you already made the decision, check the deletion instructions available below the article. Also, you can use a reliable security tool to erase Alpha Ransomware. As stated by the infection’s creators, antimalware software cannot recover encrypted data and while it is true it also true that if you had a reliable tool before you probably would not have to read this text.testtesttest

How does Alpha Ransomware work?

Our researchers at Anti-spyware-101.com are still trying to determine how Alpha Ransomware is distributed. Nevertheless, we have tested the malware, so we know how it works after the system is infected. The malicious application should place an executable file called msestl32.exe in the %APPDATA%\Microsoft\Essential location. It should also add .txt and .html files titled as README HOW TO DECRYPT YOUR FILES. Such data should be visible on user’s Desktop, and it could be placed in every folder that contains encrypted files.

The reason README HOW TO DECRYPT YOUR FILES.txt launches every time you log on or restart the computer is because Alpha Ransomware creates an entry in the Run key, which is in the following path HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion. However, the first time this document should be opened is when the infection finishes encrypting your data. The malware should encipher only personal files. For example, it could encrypt data that has the listed extensions: wav, .wb2, .wmv, .wpd, .wps, .no, .xlk, .xlr, .xls, .yuv, .back, .docm, .docx, .flac, .indd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .xlsx, and so on.

The text document instructs users to install the Tor browser and load a web page that should include the other part of instructions. According to them, users can purchase the Alfa Decryptor for 1.5 Bitcoins “within first 3 days”. It looks like after three days the sum will rise by 20% and it will continue to increase like this with each third day. If you are thinking about paying the ransom, you should not forget that the malware’s creators are cyber criminals, and they might not deliver their promise. In that case, the encrypted data would remain unusable, and you would not get your money back.

How to erase Alpha Ransomware?

If you decide to eliminate Alpha Ransomware, we can guide you through the deletion process with the instructions below. To get rid of the infection users should erase the main malicious file and remove the Registry entries that were created by the malware. If you find these tasks too complicated, you could try to use a legitimate antimalware tool. Firstly, users should install the tool on the infected computer. Then, you could do a system scan and delete the detected threats. Also, if you have any questions related to the malicious program, let us know by leaving a comment here or contacting us via social media.

Remove Alpha Ransomware

  1. Press Win+E to launch the Explorer.
  2. Copy and paste the given path into the Explorer %APPDATA%\Microsoft\Essential
  3. Find a file named as msestl32.exe, right-click it and press Delete.
  4. Insert this directory into the Explorer %USERPROFILE%\Desktop
  5. Find and erase these files: README HOW TO DECRYPT YOUR FILES.TXT, README HOW TO DECRYPT YOUR FILES.HTML.
  6. Close the Explorer.
  7. Press Win+R, type regedit and click OK to open the Registry Editor.
  8. Locate the following path HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  9. Search for a value name titled as MSEstl (value data C:\Users\user\AppData\Roaming\Microsoft\Essential\msestl32.exe), right-click MSEstl and select Delete.
  10. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
  11. Locate a key that has a name of random letters, for example, Dguizcypu, right-click the key and press Delete.
  12. Close the Registry Editor and empty the Recycle bin.
100% FREE spyware scan and
tested removal of Alpha Ransomware*
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *