Alpha Crypt has infected Windows Server 2008 Files

We have been called in to assist with an infection for a new contact. During our visit it was found that he server did not have virus protection, did not have ANY known backups and all of their shared files (such as Excel and Word documents) are now in .EZZ format. I have searched online, but have not been able to find a way to decrypt the files.

We retrieved the server and brought it back to our place where it is on a separate network. We have run full virus and malware scans which found and removed multiple items. The problem now is that the files are encrypted. I tried manually changing the extension, however besides changing the document icon to something recognizable, it fails to open the file.

This problem started with a user's workstation who had the shared files mapped as a networked drive. Any suggestions would be greatly appreciated.

Thanks
Poly11Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITEnd-user supportCommented:
0
Poly11Author Commented:
Thanks for the Kapersky links. I'd like to clarify that this infection has encrypted most of the documents. I need to figure out if there's a way to decrypt the files. There are no shadow copies or backups available which is rather unfortunate in this situation.
0
NVITEnd-user supportCommented:
Also would like to add https://noransom.kaspersky.com/
But that's for CoinVault only. Yours is Alpha Crypt
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

NVITEnd-user supportCommented:
This site has lots on the .EZZ: http://blogs.cisco.com/security/talos/teslacrypt
0
Poly11Author Commented:
TeslaDecrypt worked on the workstation that was originally infected. I located the key.dat file within the User's AppData\Roaming\ folder. That's positive news, but on the server I'm not finding a key.dat file. I did run TeslaDecrypt using the key.dat file from the workstation, however after saying "Success" the files are still not accessible.
0
NVITEnd-user supportCommented:
Warning: Using the Cisco TeslaDecrypt decrypter will not work for Alpha Crypt encrypted .EZZ files. Therefore do not rename your .EZZ files as .ECC files and run TeslaDecrypt as it will corrupt your files. http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information#alpha-decrypt
0
Poly11Author Commented:
Thank you for the information. TeslaCrypt was run on the workstation using the located key.dat file and now the files are accessible. I have not run a rename on the server and thank you for the links. The links are more supportive if you have a backup copies, shadow copies, etc... In this unfortunate situation we do not have any type of backup available.
0
NVITEnd-user supportCommented:
> ...on the server I'm not finding a key.dat file
Not sure but maybe because it's still encrypting the files on the server? i.e. it makes key.dat at the end?
0
David Johnson, CD, MVPOwnerCommented:
use the same .dat file as you used on the client. it was encrypted by the client machine so the client machine has to decrypt it.
0
Poly11Author Commented:
Unfortunately the TeslaDecrypt tool is not working for the .ezz files. From what I've read there is no way to decrypt .ezz files at this time. I hope that statement is not true.

The decrypt process says it was successful, but the log shows that nothing was decrypted after the hard drive scan. Any ideas will always be appreciated.

Thanks
0
NVITEnd-user supportCommented:
>no way to decrypt .ezz files at this time
According to bleepingcomputer, it is. Best to keep abreast of news if possible. Unfortunate for your client at this point.
0
Poly11Author Commented:
I am still looking to see if there's a way to decrypt these files...
0
David Johnson, CD, MVPOwnerCommented:
Other than contributing to the problem by paying the ransom there is NO way with current technology to decrypt the files. You can't since the algorithm uses the product of 2 prime numbers and you have to get the 2 prime numbers and there is absolutely NO way to brute force this.. Perhaps in 50 years we might have the computing horsepower to decrypt in a reasonable length of time say 1 year. But as of now these files are gone.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Davis McCarnOwnerCommented:
Have you tried TeslaDecoder?  Its about 35% of the way down this page and looks for a different key file: http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
0
Poly11Author Commented:
Thank you for your responses, I have tried TeslaDecoder and have had no success.
0
Davis McCarnOwnerCommented:
Have you searched every workstation that connected to the server for storage.bin or key.dat files?  These guys encrypt everything on mapped and shared drives, too, so it may not be the server that got directly infected.
0
Poly11Author Commented:
We give up. We have found the 1 key.dat file but it does not work with TeslaDecryptor.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.