Alpha Crypt has infected Windows Server 2008 Files
We have been called in to assist with an infection for a new contact. During our visit it was found that he server did not have virus protection, did not have ANY known backups and all of their shared files (such as Excel and Word documents) are now in .EZZ format. I have searched online, but have not been able to find a way to decrypt the files.
We retrieved the server and brought it back to our place where it is on a separate network. We have run full virus and malware scans which found and removed multiple items. The problem now is that the files are encrypted. I tried manually changing the extension, however besides changing the document icon to something recognizable, it fails to open the file.
This problem started with a user's workstation who had the shared files mapped as a networked drive. Any suggestions would be greatly appreciated.
Thanks
We retrieved the server and brought it back to our place where it is on a separate network. We have run full virus and malware scans which found and removed multiple items. The problem now is that the files are encrypted. I tried manually changing the extension, however besides changing the document icon to something recognizable, it fails to open the file.
This problem started with a user's workstation who had the shared files mapped as a networked drive. Any suggestions would be greatly appreciated.
Thanks
ASKER
Thanks for the Kapersky links. I'd like to clarify that this infection has encrypted most of the documents. I need to figure out if there's a way to decrypt the files. There are no shadow copies or backups available which is rather unfortunate in this situation.
Also would like to add https://noransom.kaspersky.com/
But that's for CoinVault only. Yours is Alpha Crypt
But that's for CoinVault only. Yours is Alpha Crypt
This site has lots on the .EZZ: http://blogs.cisco.com/security/talos/teslacrypt
ASKER
TeslaDecrypt worked on the workstation that was originally infected. I located the key.dat file within the User's AppData\Roaming\ folder. That's positive news, but on the server I'm not finding a key.dat file. I did run TeslaDecrypt using the key.dat file from the workstation, however after saying "Success" the files are still not accessible.
More info...
"TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ" http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/page-3
"TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ" http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/page-3
Warning: Using the Cisco TeslaDecrypt decrypter will not work for Alpha Crypt encrypted .EZZ files. Therefore do not rename your .EZZ files as .ECC files and run TeslaDecrypt as it will corrupt your files. http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information#alpha-decrypt
ASKER
Thank you for the information. TeslaCrypt was run on the workstation using the located key.dat file and now the files are accessible. I have not run a rename on the server and thank you for the links. The links are more supportive if you have a backup copies, shadow copies, etc... In this unfortunate situation we do not have any type of backup available.
> ...on the server I'm not finding a key.dat file
Not sure but maybe because it's still encrypting the files on the server? i.e. it makes key.dat at the end?
Not sure but maybe because it's still encrypting the files on the server? i.e. it makes key.dat at the end?
use the same .dat file as you used on the client. it was encrypted by the client machine so the client machine has to decrypt it.
ASKER
Unfortunately the TeslaDecrypt tool is not working for the .ezz files. From what I've read there is no way to decrypt .ezz files at this time. I hope that statement is not true.
The decrypt process says it was successful, but the log shows that nothing was decrypted after the hard drive scan. Any ideas will always be appreciated.
Thanks
The decrypt process says it was successful, but the log shows that nothing was decrypted after the hard drive scan. Any ideas will always be appreciated.
Thanks
>no way to decrypt .ezz files at this time
According to bleepingcomputer, it is. Best to keep abreast of news if possible. Unfortunate for your client at this point.
According to bleepingcomputer, it is. Best to keep abreast of news if possible. Unfortunate for your client at this point.
ASKER
I am still looking to see if there's a way to decrypt these files...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried TeslaDecoder? Its about 35% of the way down this page and looks for a different key file: http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
ASKER
Thank you for your responses, I have tried TeslaDecoder and have had no success.
Have you searched every workstation that connected to the server for storage.bin or key.dat files? These guys encrypt everything on mapped and shared drives, too, so it may not be the server that got directly infected.
ASKER
We give up. We have found the 1 key.dat file but it does not work with TeslaDecryptor.
http://support.kaspersky.com/viruses/utility
http://support.kaspersky.com/us/viruses/disinfection