Alpha Ransomware Removal Guide

Do you know what Alpha Ransomware is?

Alpha Ransomware creators have the insolence to say that by distributing this infection they not only intend no harm but also aim to make the Internet a better place. Perhaps, they do not mean to harm your data, but it does not change the fact that they are trying to extort money from users. Alpha Ransomware’s developers demand a ransom from their victims in exchange for decryption tools that would recover the data, which was encrypted by the malware. The note left behind contains a long text written in a manner to convince the user to pay the ransom. However, you cannot be sure if the malware’s creators really mean what they say, perhaps they have no intention of giving you the decryption tool. If you are not going to risk your savings, and you simply want to erase the infection, we can offer a removal guide below.

It appears to be that it is still unknown how the cyber criminals distribute this malicious program. Nonetheless, we have no doubt that it should install itself without the user’s permission. Once Alpha Ransomware infects the system, it should place a malicious executable file in the %APPDATA%\Microsoft\Essential directory. Then the user should notice README HOW TO DECRYPT YOUR FILES.TXT and README HOW TO DECRYPT YOUR FILES.HTML files on the Desktop.Alpha Ransomware Removal GuideAlpha Ransomware screenshot
Scroll down for full removal instructions

If you did restart the system, you should have noticed that the malware can auto-start with Windows. It happens because the infection should create particular entries in the Windows Registry. For example, our researchers notice that it can create value name called MSEstl in the Run key. Its value data should contain a path to the malicious executable file (C:\Users\user\AppData\Roaming\Microsoft\Essential\msestl32.exe).

After the malicious program is installed, it should begin the encryption process. During it, the infection encrypts user’s private data, e.g. pictures, photos, videos, various documents, and so on. Each encrypted file should be marked with an extra “.bin” extension at the end, for example, a locked text document could look like text.doc.bin. Once, all of your personal data is encrypted, Alpha Ransomware should open the README HOW TO DECRYPT YOUR FILES.TXT document.

The ransom note contains quite detailed instructions that explain to users what happened to their data and what they should do to get the decryption tool. If you do everything according to the text document, you should get the rest of instructions on the malware’s web page. Apparently, users should have about two weeks to make the payment, although the price could increase by 20% every three days. Still, we would not advise you to pay the ransom as there are no guarantees that you will get the promised tool. The cyber criminals should demand you to pay 1.5 BTC (~998 US dollars), so you should carefully consider if you want to risk losing so much money. Instead of making a rash decision, think about the data that got encrypted. Perhaps you stored some of it on removable media devices or shared it via social media. In that case, you could recover some of the files, but before you do that, it would be better to erase Alpha Ransomware.

If you want to have the option to pay the ransom, you could leave one of the text or HTML documents with the instructions on the computer, but there is no reason to keep the malicious data. Also, you probably do not want to see the ransom note every time you turn on the computer. Therefore, we placed a removal guide below. It will tell users how to get rid of the malicious data, infection’s entries in the Windows Registry, and ransom notes. If you are determined to eliminate the threat, you could also use a trustworthy antimalware tool. If you keep the tool updated, it should guard your computer against malware and keep it clean.

Delete Alpha Ransomware

  1. Open the Explorer (press Windows Key+E).
  2. Insert the following directory and click Enter: %APPDATA%\Microsoft\Essential
  3. Locate an executable file called msestl32.exe, right-click the file and select Delete.
  4. Go to: %USERPROFILE%\Desktop
  5. Find README HOW TO DECRYPT YOUR FILES.TXT and README HOW TO DECRYPT YOUR FILES.HTML documents and right-click them separately to delete.
  6. Close the Explorer and Open the Registry editor.
  7. Press Windows Key+R, type regedit and click OK.
  8. Navigate to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  9. Find a value name called MSEstl, it should have the following value data: C:\Users\user\AppData\Roaming\Microsoft\Essential\msestl32.exe
  10. Right-click MSEstl and select Delete.
  11. Go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
  12. Find a key with a random title, e.g. “Cfqhvbwot”, right-click the key and select Delete.
  13. Close the Registry Editor.
  14. Empty Recycle bin.

In non-techie terms:

Alpha Ransomware is a malicious program designed by cyber criminals who seek to extort money from their victims. Currently, it is unknown how the infection spreads, so it is important to protect the system in every possible way. If your computer got infected, you can delete the malicious data with the instructions above or use an antimalware tool to eliminate the malware. It will not recover the encrypted data, but it will help you clean the system.