I believe someone has put Alpha Crypt virus on our network! Any ideas how to get rid of it?!:)

Hi guys

We've had one of our fileservers running on Windows 2012 infiltrated with an Alpha Crypt virus. Around 50% of our Excel files have had their extensions turned into .exx.

Can anybody help out ways of getting rid of this and restoring extensions back to normal?! This is a live environment and I am remote to this site.

I'm currently running AV on there as I write this.

Any help would be amazing peeps.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James HIT DirectorCommented:
You have TeslaCrypt not AlphaCrypt due to the file extension.

Your best bet is to restore from backup, however here are some methods you can try.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
James HIT DirectorCommented:
You will have to find the source of the infection and then clean it out manually.
Here are some instructions on how to do that as well.

YashyAuthor Commented:
Thanks guys. I'm trying my best to keep things cool, as this could be quite drastic. But we do have nightly cloud backups which is a good thing and I may have to restore.

I do have a quick question about this though. The file server has got two folders on it (Folder1 and Folder2) on the same drive, filled with files. Both are shared. However, one folder is completely okay. The other one is infected entirely head to bottom with .exx files.

The folders above are mapped out by department. So, folder 1 is mapped out to one department. Folder 2 (the infected one) is mapped out to another.

We ran AV, Malwarebytes on the server itself and it came back with nothing. Is it highly likely that a user had their machine infected with this virus and had the virus spread from their PC on to their 'mapped drive'?
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

The servers themselves are practically never infected (unless it is a terminal server), you'd have to actually browse the web with it, or read emails on the server itself, or some devices like synology NAS got infected through a certain virus because there was a security hole in the OS that got exploited. But that has long been patched so if your server is or NAS is up-to-date with patches there should be no problems.

Most ransomware starts on the workstations, and then all data it can reach gets encrypted, including mapped drives and data saved in the cloud. Newer versions seem also to be able to encrypt unmapped drives, provided the client PC can reach them.

Most such ransomware is automatically removed from the PC that was infected, once it has finished with the encryption and the ransom note has appeared. So if anyone saw such a note, you will know which PC it was. You can still scan it using the diverse tools to make sure it is clean. If no ransom note yet appeared, it means that the virus hasn't finished yet, and then you could, if you find the infected PC, recover the data as there usually is a temporary folder where the original data is stored, and also the shadowcopies should still hold the original data. Once the virus is finished, it clears all that.
YashyAuthor Commented:
I found the PC!! There's a txt file that says 'HELP_TO_SAVE_FILES.txt'.

But it is running at snail speed.

Do you think I can find the 'key.dat' file on that PC? So that I can decrypt everything?
James HIT DirectorCommented:
You can forget trying to decrypt that way. If the tools cannot do it, then you are forced to restore your data. That is the only option at this point.
David Johnson, CD, MVPOwnerCommented:
no you cannot recover these files using any known method without the decryption software and the key. To get this you pay the ransom and contribute to the problem.. If nobody paid then these people would give up, but since it is a lucrative business model we will only see it used more and more, by more and more script kiddies. to make things worse you could be hit but 2 versions at the same time and be doubly screwed.  Your best recourse is to clean the offending computer (nuke and rebuild from image)  and then restore the files from backup.
Once that message is shown, it is too late. Restore the data from the backups.
EirmanChief Operations ManagerCommented:
Most ransomware starts on the workstations, and then all data it can reach gets encrypted, including mapped drives and data saved in the cloud.
@rindi. That's really worrying about the cloud.

Newer versions seem also to be able to encrypt unmapped drives.
Are you referring UNC shares?
That with the cloud requires a connection to it. Many use a utility that can sync to the cloud automatically, or for example Windows 8.x, if the m$ account is used, is directly connected. That way the data there can easily be encrypted. If you just visit your cloud storage via a web browser, it is harder to encrypt, but you'd need to make sure that your browser doesn't store passwords and cookies are deleted.

It probably checks the network neighborhood for advertised servers and then what drives are shared, and then tries connecting to them. If the user account is allowed to use those shares it can encrypt the files there. At least that is how I believe it works.
Thomas Zucker-ScharffSolution GuideCommented:
I believe rindi is correct, in short, yes - any drives that the user has write access to whether mapped or not are in danger.  See my article on ransomeware: http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html.

Pay particular attention to methods of prevention.  Once a network and/or computer has been encrypted, backups are your friend or versioning cloud backup such as crashplanPROe or druva insync.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.