Security researchers have discovered a new malware program called ALVIN ransomware causing problems. Experts warn that the threat is very dangerous as it is developed by money-driven criminals who are likely to double-cross their victims.
The ransomware follows the standard pattern of "locking" its victims' data and keeping it as a hostage until victims pay the stated ransom. To achieve its objective, the threat uses scare tactics that push the victims into making impulsive actions.
Victims are advised not to swing into action but to consider their options. Experts explain that paying the attackers is not recommended as such actions encourage criminals to continue their malicious activities and infect other devices, scamming other people.
About ALVIN Ransomware
ALVIN is an efficient ransomware, designed to be sneaky and highly destructive.
Upon infiltrating a device, the ransomware launches a scan that detects the user-generated data. ALVIN ransomware looks for files that could contain valuable information, such as databases, documents, archives, and pictures.
ALVIN uses advanced encryption algorithms to lock the information and prevent the user from accessing it. Additionally, it will attempt to hinder data recovery operations by deleting the Shadow Volume Copies of data. Computers use this data when resetting back to factory settings.
The files encrypted by ALVIN ransomware can be spotted quickly as the ransomware renames the successfully encrypted data by following a simple pattern. ALVIN will insert its operators' email address, followed by a victim's ID and the original filename and extension. The threat will complete the new name by appending the ".ALVIN" extension.
For example, an archive called "trip_pictures.rar" will be renamed to "firstname.lastname@example.orgUI8956.trip_pictures.rar.ALVIN."
Upon completing the file-encryption procedure, ALVIN will create files named "HOW TO RECOVER ENCRYPTED FILES.txt" that gets saved in every folder containing corrupted data.
The text files contain a ransom-demanding message, which informs the victim that their data is recoverable, but for a price.
Ransom Note Text:
“"ALVIN RANSOMWARE" Your unique ID:"-"
All personal files on your computer are encrypted!
TEST OUR TOOL FIRST:
Before you make a payment you should test our tool first for decrypting your data.
Before paying to send us up to 1 file for free decryption.
The total size of the file must be less than 1Mb (the file should not be important to you).
Don't worry, you can restore all your files.
Without the original key recovery is impossible.
If you want to decrypt your files, you have to pay in Bitcoin.
The price depends on how fast you write to us.
If you want to restore files, write us to the e-mail: "email@example.com"
It is in your interest to respond as soon as possible to ensure the restoration of your files,
Because we won't keep your decryption keys at our server more than one Week because of our security.
Only in case you do not receive a response from the first email address
Withit 24 hours, please use this alternative email adress: "firstname.lastname@example.org"
You can buy bitcoin from here:
-You can find other places to buy Bitcoins and beginners guide here:
1-Using other tools could corrupt your files, in case of using third party software
We don't give guarantees that full recovery is possible.
2-Please do not change the name of files or file extension if your files are important to you!”
Victims are instructed to contact the criminals via email as soon as possible. They are to address their messages to either email@example.com or firstname.lastname@example.org email addresses. Victims can submit one small file (up to 1MB) that will be restored for free as proof that decryption is possible.
Additionally, victims are warned not to rename their files and to refrain from using third-party decryption software as such action could cause data damage.
Sadly, there is no alternative decryption tool for ALVIN ransomware. However, as the threat is yet to be analyzed, a bug in its code could allow researchers to develop decryption software soon.
Instead of involving the criminals in the data recovery, victims should instead use backups saved on cloud or external storage. Of course, as experts point out, the ransomware must be removed before attempting data recovery. Otherwise, the threat could corrupt the backup device and encrypt the data saved on it.
Evidence suggests that ALVIN is spread via mass-distribution techniques, such as malicious macros, corrupted app installers and malicious links. Like many other threats, this ransomware lurks in the shadows and waits for a user to make a mistake.
ALVIN preys on naive users who are likely to fall into traps. However, good cyber hygiene can prevent its tricks from succeeding.
Users are strongly recommended to do their due diligence and to apply the best security practices.