• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Alpha Crypt has infected Windows Server 2008 Files

We have been called in to assist with an infection for a new contact. During our visit it was found that he server did not have virus protection, did not have ANY known backups and all of their shared files (such as Excel and Word documents) are now in .EZZ format. I have searched online, but have not been able to find a way to decrypt the files.

We retrieved the server and brought it back to our place where it is on a separate network. We have run full virus and malware scans which found and removed multiple items. The problem now is that the files are encrypted. I tried manually changing the extension, however besides changing the document icon to something recognizable, it fails to open the file.

This problem started with a user's workstation who had the shared files mapped as a networked drive. Any suggestions would be greatly appreciated.

Thanks
0
Poly11
Asked:
Poly11
  • 7
  • 7
  • 2
  • +1
1 Solution
 
Poly11Author Commented:
Thanks for the Kapersky links. I'd like to clarify that this infection has encrypted most of the documents. I need to figure out if there's a way to decrypt the files. There are no shadow copies or backups available which is rather unfortunate in this situation.
0
 
NVITCommented:
Also would like to add https://noransom.kaspersky.com/
But that's for CoinVault only. Yours is Alpha Crypt
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
NVITCommented:
This site has lots on the .EZZ: http://blogs.cisco.com/security/talos/teslacrypt
0
 
Poly11Author Commented:
TeslaDecrypt worked on the workstation that was originally infected. I located the key.dat file within the User's AppData\Roaming\ folder. That's positive news, but on the server I'm not finding a key.dat file. I did run TeslaDecrypt using the key.dat file from the workstation, however after saying "Success" the files are still not accessible.
0
 
NVITCommented:
Warning: Using the Cisco TeslaDecrypt decrypter will not work for Alpha Crypt encrypted .EZZ files. Therefore do not rename your .EZZ files as .ECC files and run TeslaDecrypt as it will corrupt your files. http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information#alpha-decrypt
0
 
Poly11Author Commented:
Thank you for the information. TeslaCrypt was run on the workstation using the located key.dat file and now the files are accessible. I have not run a rename on the server and thank you for the links. The links are more supportive if you have a backup copies, shadow copies, etc... In this unfortunate situation we do not have any type of backup available.
0
 
NVITCommented:
> ...on the server I'm not finding a key.dat file
Not sure but maybe because it's still encrypting the files on the server? i.e. it makes key.dat at the end?
0
 
David Johnson, CD, MVPOwnerCommented:
use the same .dat file as you used on the client. it was encrypted by the client machine so the client machine has to decrypt it.
0
 
Poly11Author Commented:
Unfortunately the TeslaDecrypt tool is not working for the .ezz files. From what I've read there is no way to decrypt .ezz files at this time. I hope that statement is not true.

The decrypt process says it was successful, but the log shows that nothing was decrypted after the hard drive scan. Any ideas will always be appreciated.

Thanks
0
 
NVITCommented:
>no way to decrypt .ezz files at this time
According to bleepingcomputer, it is. Best to keep abreast of news if possible. Unfortunate for your client at this point.
0
 
Poly11Author Commented:
I am still looking to see if there's a way to decrypt these files...
0
 
David Johnson, CD, MVPOwnerCommented:
Other than contributing to the problem by paying the ransom there is NO way with current technology to decrypt the files. You can't since the algorithm uses the product of 2 prime numbers and you have to get the 2 prime numbers and there is absolutely NO way to brute force this.. Perhaps in 50 years we might have the computing horsepower to decrypt in a reasonable length of time say 1 year. But as of now these files are gone.
0
 
Davis McCarnOwnerCommented:
Have you tried TeslaDecoder?  Its about 35% of the way down this page and looks for a different key file: http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
0
 
Poly11Author Commented:
Thank you for your responses, I have tried TeslaDecoder and have had no success.
0
 
Davis McCarnOwnerCommented:
Have you searched every workstation that connected to the server for storage.bin or key.dat files?  These guys encrypt everything on mapped and shared drives, too, so it may not be the server that got directly infected.
0
 
Poly11Author Commented:
We give up. We have found the 1 key.dat file but it does not work with TeslaDecryptor.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 7
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now