Alpha865qqz ransomware


Alpha865qqz ransomware uses a misleading file extension to trick people into thinking that it’s a variant of GlobeImposter

Alpha865qqz ransomware

Alpha865qqz ransomware

Alpha865qqz ransomware, a.k.a .Globeimposter-Alpha865qqz, is a file-encrypting virus that has been circulating around since the middle of April 2020. It has been first found by Michael Gillespie[1] who has denied the fact that this ransomware belongs to the group of GlobeImposter. The two actually have nothing in common. 

The so-called Alpha865qqz ransomware virus is a family member of the Maoloa ransomware that has emerged back in 2019. This cryptovirus takes advantage of the RSA and AES encryption algorithms to lock personal files and then pushes the victims to contact the criminals via [email protected], [email protected], [email protected] or similar emails that are provided on the HOW BACK YOUR FILES.txt ransom note. 

According to researchers, this Maoloa virus version uses the misleading .Globeimposter-Alpha865qqz file extension to distinguish encrypted files. Access to such files is restricted, so people cannot open or rename any documents, pictures, photos, and other personal files. Unfortunately, free decryption software is not available yet. People have either pay a ransom to the criminals or try alternative data recovery options, for example, backups. 

Name Alpha865qqz ransomware
Classification File-encoder/ransomware
Family Maoloa ransomware
False claims Some sources claim that this ransomware is a variant of GlobeImposer, which is not true. The virus uses a misleading file extension to make people think that it’s a variant of this infamous group
Distribution This cryptovirus is mainly distributed via remote desktop password cracking. After having the password cracked, the ransomware is subsequently manually injected onto the machines that are connected to the RDP service. In addition, it may be disguised under spam email attachments or license key cracks. 
Symptoms Locked personal files
Randomly generated txt file, which says “Your files have been encrypted”
Abnormal system’s performance
File extension .Globeimposter-Alpha865qqz or .happychoose
Decryption Several methods can be applied to recover files locked by this ransomware virus:

  • Victims can pay the demanded ransom, but this option is highly not recommended because of guarantee lack and risks of further security issues;
  • People can upload ransomware samples to the official websites of ransomware hunters and wait for the experts to generate a free decryption tool (this option requires patience);
  • People can use alternative data recovery methods (Data Recovery Pro, Shadow Explorer, Previous Version feature)
Removal Only the automatic removal option is available
Virus damage Not recovering the system after the malware infection may cause serious Windows performance issues. Therefore, once the Alpha865qqz removal is finished, a scan with Reimage Reimage Cleaner Intego system repair tool is recommended.

The Alpha865qqz ransomware virus has been analyzed in detail since April. The main thing to understand is that this virus is not a strain of the notorious GlobeImposter even though it uses the .Globeimposter-Alpha865qqz file marker. It’s a trick used by cybercriminals to mislead people and cybersecurity experts. 

After gaining access to the target machine, the ransomware starts running malicious processes that are responsible for disabling anti-virus programs, eliminating certain startup processes, infecting legitimate Windows processes to hide ransomware strains behind, etc. To be more specific, the Alpha865qqz virus creates the following Windows registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup\DisableHomeGroup

As a consequence, neither the in-built Windows protection features not the third-party AV tools can run. Besides, the victims won’t be able to recover .Globeimposter-Alpha865qqz files because of a malicious PowerShell command, which automatically deletes all Shadow Volume Copies[2]. Once done, it generates a ransom note HOW BACK YOUR FILES.txt on the following folders:

  • C:\Documents and Settings\Administrator\AppData
  • C:\Documents and Settings\Administrator\Application Data
  • C:\Documents and Settings\Administrator\Contacts
  • C:\Documents and Settings\Administrator\Cookies
  • C:\Documents and Settings\Administrator\Desktop
  • C:\Documents and Settings\Administrator\Documents
  • C:\Documents and Settings\Administrator\Downloads

Alpha865qqz ransom note example
Alpha865qqz ransomware virus is a highly dangerous file-encoder that takes advantage of the unprotected Remote Desktop connection services

Alpha865qqz ransom note example
Alpha865qqz ransomware virus is a highly dangerous file-encoder that takes advantage of the unprotected Remote Desktop connection services

Therefore, the main symptom that the victim notice should be a HOW BACK YOUR FILES.txt note and inaccessible system files. No matter how scared you are, you should not rush to pay the ransom because this move can end up with both money and file loss. Instead of that, use a robust anti-virus tool and remove Alpha865qqz virus from Windows completely. After that, recover the system using Reimage Reimage Cleaner Intego repair tool to prevent system slowdowns, crashes, and errors due to misconfigured files. 

Your files are encrypted! 

—————–

To decrypt, follow the instructions below.
To recover data you need decrypt tool.
To get the decrypt tool you should: 

Send 1 crypted test image or text file or document to [email protected]
In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me.
We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files.
After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it We can decrypt few files in quality the evidence that we have the decoder.
—————–

MOST IMPORTANT!!!

Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected], will decrypt your files.
—————–

Only [email address] can decrypt your files
Do not trust anyone besides [email address]
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user’s unique encryption key

Keep in mind that criminals have a sole intention – to scare the victims and make them pay, so do not provide them with such joy. As soon as you understand that the virus is running in the system, restart the system into Safe Mode, and launch an AV scanner to remove Alpha865qqz virus once and for all. 

if you’ve been using Cloud storage[3] to keep file backups, minimal virus damage can be expected. Therefore, you should not even consider paying the ransom. If unfortunately, there are no available backups, do not lose hope since some Alpha865qqz virus files can be recovered using alternative methods. 

Ransomware dissemination methods

Ransomware type viruses are extremely stealthy in terms of distribution and performance. These viruses exhibit highly malicious behavioral traits, which enable them to easily gain persistence and encrypt files without being noticed. Therefore, it’s very important to protect the system from these threats in a proper way. 

Alpha865qqz cryptovirus
Alpha865qqz ransomware aims at locking personal files and blackmailing the victims with a ransom demand

Alpha865qqz cryptovirus
Alpha865qqz ransomware aims at locking personal files and blackmailing the victims with a ransom demand

When talking about malware dissemination methods, it is very likely that threat actors use one or several of the following tactics:

  • Attachments and hyperlinks positioned inside spam email messages;
  • Software cracks and keygens available on suspicious websites;
  • Pirated software available on torrent and peer-to-peer websites;
  • Vulnerability exploits that automatically enable the ransomware payload if the potential victim lands on a malicious website;
  • Remote Desktop connections (RDPs)  that are not password-protected;
  • Trojan infections that serve as a backdoor to deliver malware.  

Having all these methods in mind it’s very important to ensure a full and robust Windows protection. First of all, make sure to regularly install Windows updates to prevent security vulnerabilities. Second of all, install a professional AV program that has a full package of protection features. Finally, virus and spyware researchers from Dieviren.de[4] urge to be very cautious when using the Internet, i.e. do not click on misleading ads, close websites that you are redirected to randomly, do not fall for clicking on software update pop-ups, do not rely on pirated software, etc. 

Double-check the system to ensure a complete Alpha865qqz ransomware removal

Those who are infected by viruses like Alpha865qqz ransomware should be aware that malware spreads in packages of malicious components. Therefore, there’s a chance that ransomware is not the only cyber infection lurking in the background. Additionally, cryptoviruses may contain the secondary payloads of Trojans and spyware, so it’s vital to scan the system with the most professional anti-virus software. Our recommended programs are SpyHunter 5Combo Cleaner or Malwarebytes.

Alpha865qqz ransomware detection names
Alpha865qqz ransomware virus is currently recognized by 58 anti-virus programs.

Alpha865qqz ransomware detection names
Alpha865qqz ransomware virus is currently recognized by 58 anti-virus programs.

As we have already pointed out, the Alpha865qqz removal may not be easy as it restricts AV functionalities to prevent detection and elimination. To bypass the restrictions, you should restart the machine into Safe Mode with Networking. Once the removal is done, you can move forward to the data decryption process. 

Note: it’s advisable to decrypt all .Globeimposter-Alpha865qqz files before you initiate any decryption steps. That’s a precautionary measure to prevent permanent file loss. 

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Alpha865qqz using Safe Mode with Networking

A tutorial on how to reboot Windows into Safe Mode:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Alpha865qqz removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Alpha865qqz using System Restore

A guide explaining how to enable the Previous Windows version. This method can work when the system needs to be brought back to the state prior to the ransomware attack.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Alpha865qqz from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Alpha865qqz, you can use several methods to restore them:

Data Recovery Pro is a useful tool for recovering lost files

Despite being launched for the data recovery after the system crash, the Data Recovery Pro tool features a powerful restore engine that may unlock some of the Alpha865qqz files. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Alpha865qqz ransomware;
  • Restore them.

Try using Windows Previous Versions feature to recover your files one-by-one

If the Windows Previous Version feature has been enabled on the system, you will be able to recover the files one-by-one by enabling their versions that have been created before the ransomware attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

A free Alpha865qqz ransomware decryptor is not yet available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Alpha865qqz and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can’t grant a full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. 

Nevertheless, there’s a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

While much of the data can be accidentally deleted due to various circumstances, malware is also one of the main culprits that can cause loss of pictures, documents, videos, and other important files. Potentially unwanted programs may clear files that keep the application from running smoothly.

More serious malware infections lead to significant data loss when your documents, system files, or images get locked. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them. Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system.

In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

This entry was posted on 2020-07-21 at 03:55 and is filed under Ransomware, Viruses.