AlphaBetaCrypt ransomware (Virus Removal Guide) - Free Instructions

AlphaBetaCrypt virus Removal Guide

What is AlphaBetaCrypt ransomware?

AlphaBetaCrypt ransomware – file locking malware that borrowed ransom note contents from Scarab virus developers

AlphaBetaCrypt ransomwareAlphaBetaCrypt ransomware is a file locking virus that uses three different encryption algorithms to lock all personal files on the system

AlphaBetaCrypt ransomware is a file locking virus that emerged in late January 2020. Just as other malware of the same type, upon entry, it modifies the Windows operating system so to prevent an easy recovery and then locks all pictures, documents, databases, videos, and other files. AlphaBetaCrypt virus uses a combination of AES, RSA and Salsa20[1] encryption algorithms to lock data, and appends a .CRYPT extension to each of the modified files. Note that data is not destroyed, but it needs a uniquely-generated key that lies within the attackers' reach only.

Due to this, hackers can attempt to extort money from users – as long as they are willing to recover the locked data, they are asked to contact crooks via alphasup@mail.ee, supalpha@cock.li, betasup@mail.ee, or betasup@cock.li and then transfer the demanded sum into a Bitcoin wallet. While no AlphaBetaCrypt ransomware decryptor is currently available, victims should not rush to pay criminals, as there is a chance of recovering data using alternative methods.

Name AlphaBetaCrypt ransomware
Type Cryptovirus, File locking virus
Also known as Alphasup ransomware, Betasup ransomware
Relation It is believed that one of the Scarab ransomware distributors is now delivering this malware
Cipher The malware uses several encryption algorithms during the encryption process – AES, RSA and Salsa20
File extension Each of the encrypted files is appended with .CRYPT marker, although system and executables are spared from this process
Ransom note README_README_README_README.txt – this file is used to deliver the most crucial information to the victim in order to make the payment smoother
Contact Malicious actors ask users to contact them via alphasup@mail.ee, supalpha@cock.li, betasup@mail.ee, or betasup@cock.li emails, attaching the personal identifier
Malware removal Use reputable anti-malware software to get rid of ransomware (in some cases, accessing Safe Mode is required so please check the instructions below)
Data recovery

Due to a combination of various encryption algorithms AlphaBetaCrypt ransomware uses, decrypting the locked files is almost impossible. Options for data recovery include:

  • Using third-party recovery tools
  • Paying ransom (not recommended)
  • Waiting till security researchers find bugs within the malware and develop a free decryptor
System fix In case your Windows OS is crashing and/or hanging after you get rid of malware, there is a chance that system files were damaged. To fix that, you could use PC repair software FortectIntego – you would avoid reinstallation of Windows

While the contents of a ransom note README_README_README_README.txt are seemingly copied from Scarab ransomware, there is no proof that the malware stems from same developers, although researchers believe that one of the distributors of this family is now propagating new ransomware, which was named AlphaBetaCrypt, alternatively known as Alphasup, or Betasup ransomware.

Due to relatively low prevalence, it is yet unknown what distribution methods AlphaBetaCrypt ransomware developers use. Due to possible relation to Scarab, however, we could assume that crooks could use similar tactics, including malspam, exploits, spam emails, etc.

Talking about AlphaBetaCrypt ransomware removal and prevention, we must note that using a comprehensive anti-malware software would stop the malware from entering the system. Currently, over 50 anti-virus engines recognize the threat as follows:[2]

  • Trojan:Win32/Skeeyah.A!MTB
  • Ransom_Crypren.R002C0GL519
  • Mal/Generic-L
  • Generic.mg.3c59f8f3d699d368
  • Trojan.AgentWDCR.YEH (B)
  • Other:Malware-gen [Trj]
  • Trojan.MulDrop11.30131, etc.

Once inside the system, AlphaBetaCrypt virus creates an executable that is named randomly and places it into the %TEMP% folder. From there, it launches the malicious file, which begins the infection process of the Windows machine. There are several changes performed on the system that are typical to any ransomware virus, including modification of Windows registry, removal of Shadow Volume Copies, creation of malicious files, termination of certain processes, etc.

Once the system is ready, AlphaBetaCrypt ransomware scans the machine for files to encrypt – it targets most commonly used file types, such as .pdf, .doc, .xlsx, .sql, .mdb, .mp4, .avi, .txt, .jpg, .gif, and many more. Nevertheless, the virus spares system and executable files for it to run, as the main goal of Alphasup ransomware authors is not to corrupt the machine but rather make victims pay for AlphaBetaCrypt decryptor.

AlphaBetaCrypt ransomware virusAlphaBetaCrypt ransomware is cryptomalware that holds files hostage until ransom in Bitcoins is paid

After the data locking process, AlphaBetaCrypt ransomware drops the note which reads:

===============================================================
WARNING!!!!
read this carefully!!!!!!

===============================================================
Your personal identifier

All your files are encrypted
Your documents, photos, databases and other important data were encrypted.
Data recovery requires a decryptor.
To receive the decryptor, you should send an email to the email address:

betasup@mail.ee
betasup@cock.li

In the letter, indicate your personal identifier (see the beginning of this document).

Next, you pay the cost of the decryptor. In the reply letter you will receive the address
Bitcoin-purse, to which you need to transfer money.

When the money transfer is confirmed, you will receive a file decryption for your computer.
After starting the decryption program, all your files will be restored.

Attention!
* Do not attempt to uninstall the program or run antivirus software
* Attempts to self-decrypt files will result in the loss of your data
* Decoders of other users are incompatible with your data, as each user
unique encryption key

===============================================================

While some users may think that paying crooks is the only choice, keep in mind that they are criminals who locked your computer files and now demand money – they might never send you the required decryption tool. Therefore, many security researchers[3] recommend avoiding contacting hackers and rather opt for other ways to recover AlphaBetaCrypt ransomware encrypted files.

Before you remove AlphaBetaCrypt ransomware, you should backup all the encrypted data, however, as using third-party tools may permanently damage files. Then, scan your computer with anti-malware software (in Safe Mode if required), and then retrieve your data from backups or make use of recovery tools. If your system keeps malfunctioning after that, you can use repair software FortectIntego to fix virus damage on your Windows machine.

Malicious actors can use multiple malware distribution methods – protect yourself adequately

Protecting your computer with anti-malware software is a must – those who do not have security tools installed are at the most considerable risk of being infected with malware, including ransomware. Additionally, outdated applications and the operating system can serve as a great way in for hackers – they can abuse vulnerabilities and implant ransomware without users taking any actions. That being said, these two basic protection measures are not enough to avoid most of the malware found on the web.

AlphaBetaCrypt ransomware encrypted filesAlphaBetaCrypt ransomware encrypts data with a combination of secure algorithms, which leaves very little chances victims of recovering data without paying the ransom

The most prevalent techniques for ransomware distribution involve social engineering – spam email (malspam) campaigns infect thousands of users when they open malicious attachments and allow a macro function to run. Therefore, it is imperative not to open attachments or click on embedded links inside suspicious emails. Note that some emails can be compiled well and resemble legitimate ones from high-profile companies like UPS, Amazon, etc., and crooks may also employ email spoofing[4] techniques in order to make the scam more believable.

Another most commonly used tactic is malicious executable files upload to hacked sites, as well as software cracks on warez and torrent sites. Djvu ransomware, which is the most common file locking malware in the wild, uses pirated installers and software cracks as the main distribution method. Thus, never download such dangerous files or always scan them with anti-malware before executing.

You should remove AlphaBetaCrypt virus by using a powerful anti-malware program

Because ransomware rarely uses any persistence mechanisms, AlphaBetaCrypt ransomware removal should not cause most security applications any troubles. In fact, some file locking viruses are known to terminate themselves after performing a file locking process. However, regular users will not know for sure whether the malware is still present on the machine, so it is always recommended to perform a full system scan.

As mentioned above, you should first copy all the encrypted files onto the USB flash or a virtual drive; otherwise, you are risking losing your files forever. If you had backups before the ransomware struck you, however, there is no need to do that, as you can completely recover from this attack (as long as you remove AlphaBetaCrypt ransomware before recovering your data).

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of AlphaBetaCrypt virus. Follow these steps

Manual removal using Safe Mode

In case AlphaBetaCrypt virus prevents your security software from starting or interferes with it in other ways, enter Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove AlphaBetaCrypt using System Restore

System Restore might also undo changes inflicted by ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of AlphaBetaCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that AlphaBetaCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove AlphaBetaCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by AlphaBetaCrypt, you can use several methods to restore them:

Data Recovery Pro method might just work

The less you use your computer after a ransomware infection, the higher chances you have of data retrieval from your hard drive. Use Data Recovery Pro:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by AlphaBetaCrypt ransomware;
  • Restore them.

Windows Previous Versions feature might help you recover individual files

In case you had System Restore enabled, this method may work for you.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

In some cases, ShadowExplorer could be the answer

If AlphaBetaCrypt failed to delete Shadow Volume copies, ShadowExplorer could help with file recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from AlphaBetaCrypt and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References