Alpha Crypt targets all versions of the Windows OS and spreads via the Angler exploit kit. It creates a randomly named executable file in the %AppData% folder and then performs a scan for all available drives, including removable media, network shares, and DropBox mappings. Once all drives are located, it begins locking files using AES encryption and deletes Shadow Volume Copies to prevent data restoration.
Files encrypted by Alpha Crypt will display .ezz as their extension. It also creates a text file ransom note in each folder that contains encrypted files and changes the desktop wallpaper image to the ransom note as well. Payment is accepted only in the form of bitcoin. Alpha Crypt has a graphical user interface (GUI) that is nearly identical to TeslaCrypt, according to Bleeping Computer.
- Files encrypted by Alpha Crypt may be decrypted using the TeslaDecoder tool, found here, if the decryption key is present on the infected system and has not been destroyed.