Alfa or Alpha is a ransomware that runs on Microsoft Windows. It is part of the Cerber family. Alfa was not created to be harmful. It was created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for their suitability for data protection.
Alfa is distributed via email spam messages that contain infected .WSF and .DOC files attachments. When these files are opened, users are asked to enable macro commands, which will then run the ransomware.
When Alfa is executed, the ransomware will scan all the local drives for certain file types. When it finds a targeted file extension it will encrypt the file and append the .bin extension to the encrypted file. For example, test.jpg will be encrypted to the filename test.jpg.bin. The file types currently targeted by the Alfa Ransomware are:
.c, .h, .m, .ai, .cs, .db, .nd, .pl, .ps, .py, .rm, .3dm, .3ds, .3fr, .3g2, .3gp, .ach, .arw, .asf, .asx, .avi, .bak, .bay, .cdr, .cer, .cpp, .cr2, .crt, .crw, .dbf, .dcr, .dds, .der, .des, .dng, .doc, .dtd, .dwg, .dxf, .dxg, .eml, .eps, .erf, .fla, .flvv, .hpp, .iif, .jpe, .jpg, .kdc, .key, .lua, .m4v, .max, .mdb, .mdf, .mef, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .nef, .nk2, .nrw, .oab, .obj, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, .p7c, .pab, .pas, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .pps, .ppt, .prf, .psd, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srt, .srw, .svg, .swf, .tex, .tga, .thm, .tlg, .txt, .vob, .wav, .wb2, .wmv, .wpd, .wps, .no, .xlk, .xlr, .xls, .yuv, .back, .docm, .docx, .flac, .indd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .xlsx
While encrypting the files, it will also create two ransom notes called README HOW TO DECRYPT YOUR FILES.HTML and README HOW TO DECRYPT YOUR FILES.TXT in the Documents and Desktop folders. These ransom notes contain information on what has happened to the victim's files, links to the TOR payment sites, and a victim's unique ID that must be used to login to the payment site.
The current TOR payment sites for the Alfa Ransomware are http://alfadecrfgqkcw6m.onion and http://2uxzf2mxe23f3clc.onion. Alfa will also create a autorun for the malware executable so that it is started every time a user logs into Windows. The autorun will be called MSEstl and the executable will be located in %UserProfile%\AppData\Roaming\Microsoft\Essential\msestl32.exe.
Finally, the ransomware will delete the Shadow Volume Copies on the victim's computer so that they are unable to use them to recover their unencrypted files.
When a user goes to the TOR payment site, they will be shown a login form. In this form, they need to insert the victim's ID listed in the ransom note. Once they login they will be presented with the Alfa Decryptor page as shown below. This page allows them to decrypt 1 file for free, find the ransom amount, the bitcoin address they must send the payment to, and the ability to check for payment status.
Once the payment has been completed, a decryptor will be made available to them on a page. Also included in the Alfa Decryptor site is a Frequent Asked Questions page.