Alpha865qqz ransomware (Virus Removal Instructions) - Bonus: Decryption Steps

by Jake Doevan - - | Type: Ransomware

Alpha865qqz virus Removal Guide

What is Alpha865qqz ransomware?

Alpha865qqz ransomware uses a misleading file extension to trick people into thinking that it's a variant of GlobeImposter

Alpha865qqz ransomwareAlpha865qqz virus is the latest family memeber of the Maomoa ransomware.

Alpha865qqz ransomware, a.k.a .Globeimposter-Alpha865qqz, is a file-encrypting virus that has been circulating around since the middle of April 2020. It has been first found by Michael Gillespie[1] who has denied the fact that this ransomware belongs to the group of GlobeImposter. The two actually have nothing in common.

The so-called Alpha865qqz ransomware virus is a family member of the Maoloa ransomware that has emerged back in 2019. This cryptovirus takes advantage of the RSA and AES encryption algorithms to lock personal files and then pushes the victims to contact the criminals via ormazd_ahura@aol.com, maoloa@india.com, maoloa@yahoo.com or similar emails that are provided on the HOW BACK YOUR FILES.txt ransom note.

According to researchers, this Maoloa virus version uses the misleading .Globeimposter-Alpha865qqz file extension to distinguish encrypted files. Access to such files is restricted, so people cannot open or rename any documents, pictures, photos, and other personal files. Unfortunately, free decryption software is not available yet. People have either pay a ransom to the criminals or try alternative data recovery options, for example, backups.

Name Alpha865qqz ransomware
Classification File-encoder/ransomware
Family Maoloa ransomware
False claims Some sources claim that this ransomware is a variant of GlobeImposer, which is not true. The virus uses a misleading file extension to make people think that it's a variant of this infamous group
Distribution This cryptovirus is mainly distributed via remote desktop password cracking. After having the password cracked, the ransomware is subsequently manually injected onto the machines that are connected to the RDP service. In addition, it may be disguised under spam email attachments or license key cracks.
Symptoms Locked personal files
Randomly generated txt file, which says “Your files have been encrypted”
Abnormal system's performance
File extension .Globeimposter-Alpha865qqz or .happychoose
Decryption Several methods can be applied to recover files locked by this ransomware virus:

  • Victims can pay the demanded ransom, but this option is highly not recommended because of guarantee lack and risks of further security issues;
  • People can upload ransomware samples to the official websites of ransomware hunters and wait for the experts to generate a free decryption tool (this option requires patience);
  • People can use alternative data recovery methods (Data Recovery Pro, Shadow Explorer, Previous Version feature)
Removal Only the automatic removal option is available
Virus damage Not recovering the system after the malware infection may cause serious Windows performance issues. Therefore, once the Alpha865qqz removal is finished, a scan with FortectIntego system repair tool is recommended.

The Alpha865qqz ransomware virus has been analyzed in detail since April. The main thing to understand is that this virus is not a strain of the notorious GlobeImposter even though it uses the .Globeimposter-Alpha865qqz file marker. It's a trick used by cybercriminals to mislead people and cybersecurity experts.

After gaining access to the target machine, the ransomware starts running malicious processes that are responsible for disabling anti-virus programs, eliminating certain startup processes, infecting legitimate Windows processes to hide ransomware strains behind, etc. To be more specific, the Alpha865qqz virus creates the following Windows registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup\DisableHomeGroup

As a consequence, neither the in-built Windows protection features not the third-party AV tools can run. Besides, the victims won't be able to recover .Globeimposter-Alpha865qqz files because of a malicious PowerShell command, which automatically deletes all Shadow Volume Copies[2]. Once done, it generates a ransom note HOW BACK YOUR FILES.txt on the following folders:

  • C:\Documents and Settings\Administrator\AppData
  • C:\Documents and Settings\Administrator\Application Data
  • C:\Documents and Settings\Administrator\Contacts
  • C:\Documents and Settings\Administrator\Cookies
  • C:\Documents and Settings\Administrator\Desktop
  • C:\Documents and Settings\Administrator\Documents
  • C:\Documents and Settings\Administrator\Downloads

Alpha865qqz ransom note exampleAlpha865qqz ransomware virus is a highly dangerous file-encoder that takes advantage of the unprotected Remote Desktop connection services

Therefore, the main symptom that the victim notice should be a HOW BACK YOUR FILES.txt note and inaccessible system files. No matter how scared you are, you should not rush to pay the ransom because this move can end up with both money and file loss. Instead of that, use a robust anti-virus tool and remove Alpha865qqz virus from Windows completely. After that, recover the system using FortectIntego repair tool to prevent system slowdowns, crashes, and errors due to misconfigured files.

Your files are encrypted!

—————–

To decrypt, follow the instructions below.
To recover data you need decrypt tool.
To get the decrypt tool you should:

Send 1 crypted test image or text file or document to China.Helper@aol.com
In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me.
We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files.
After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it We can decrypt few files in quality the evidence that we have the decoder.
—————–

MOST IMPORTANT!!!

Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except China.Helper@aol.com, will decrypt your files.
—————–

Only [email address] can decrypt your files
Do not trust anyone besides [email address]
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key

Keep in mind that criminals have a sole intention – to scare the victims and make them pay, so do not provide them with such joy. As soon as you understand that the virus is running in the system, restart the system into Safe Mode, and launch an AV scanner to remove Alpha865qqz virus once and for all.

if you've been using Cloud storage[3] to keep file backups, minimal virus damage can be expected. Therefore, you should not even consider paying the ransom. If unfortunately, there are no available backups, do not lose hope since some Alpha865qqz virus files can be recovered using alternative methods.

Ransomware dissemination methods

Ransomware type viruses are extremely stealthy in terms of distribution and performance. These viruses exhibit highly malicious behavioral traits, which enable them to easily gain persistence and encrypt files without being noticed. Therefore, it's very important to protect the system from these threats in a proper way.

Alpha865qqz cryptovirusAlpha865qqz ransomware aims at locking personal files and blackmailing the victims with a ransom demand

When talking about malware dissemination methods, it is very likely that threat actors use one or several of the following tactics:

  • Attachments and hyperlinks positioned inside spam email messages;
  • Software cracks and keygens available on suspicious websites;
  • Pirated software available on torrent and peer-to-peer websites;
  • Vulnerability exploits that automatically enable the ransomware payload if the potential victim lands on a malicious website;
  • Remote Desktop connections (RDPs) that are not password-protected;
  • Trojan infections that serve as a backdoor to deliver malware.

Having all these methods in mind it's very important to ensure a full and robust Windows protection. First of all, make sure to regularly install Windows updates to prevent security vulnerabilities. Second of all, install a professional AV program that has a full package of protection features. Finally, virus and spyware researchers from Dieviren.de[4] urge to be very cautious when using the Internet, i.e. do not click on misleading ads, close websites that you are redirected to randomly, do not fall for clicking on software update pop-ups, do not rely on pirated software, etc.

Double-check the system to ensure a complete Alpha865qqz ransomware removal

Those who are infected by viruses like Alpha865qqz ransomware should be aware that malware spreads in packages of malicious components. Therefore, there's a chance that ransomware is not the only cyber infection lurking in the background. Additionally, cryptoviruses may contain the secondary payloads of Trojans and spyware, so it's vital to scan the system with the most professional anti-virus software. Our recommended programs are SpyHunter 5Combo Cleaner or Malwarebytes.

Alpha865qqz ransomware detection namesAlpha865qqz ransomware virus is currently recognized by 58 anti-virus programs.

As we have already pointed out, the Alpha865qqz removal may not be easy as it restricts AV functionalities to prevent detection and elimination. To bypass the restrictions, you should restart the machine into Safe Mode with Networking. Once the removal is done, you can move forward to the data decryption process.

Note: it's advisable to decrypt all .Globeimposter-Alpha865qqz files before you initiate any decryption steps. That's a precautionary measure to prevent permanent file loss.

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of Alpha865qqz virus. Follow these steps

Manual removal using Safe Mode

A tutorial on how to reboot Windows into Safe Mode:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Alpha865qqz using System Restore

A guide explaining how to enable the Previous Windows version. This method can work when the system needs to be brought back to the state prior to the ransomware attack.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Alpha865qqz. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Alpha865qqz removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Alpha865qqz from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

 

If your files are encrypted by Alpha865qqz, you can use several methods to restore them:

Recover your data
Recover your data

Data Recovery Pro is a useful tool for recovering lost files

Despite being launched for the data recovery after the system crash, the Data Recovery Pro tool features a powerful restore engine that may unlock some of the Alpha865qqz files. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Alpha865qqz ransomware;
  • Restore them.

Try using Windows Previous Versions feature to recover your files one-by-one

If the Windows Previous Version feature has been enabled on the system, you will be able to recover the files one-by-one by enabling their versions that have been created before the ransomware attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

A free Alpha865qqz ransomware decryptor is not yet available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Alpha865qqz and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Protect your privacy – employ a VPN

There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

No backups? No problem. Use a data recovery tool

If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.

If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References