If your documents, photos and music does not open normally, [email@example.com].aleta added at the end of their name then your computer is infected with a new Aleta ransomware from a family of file-encrypting ransomware. Once opened, it have encrypted all photos, documents and music stored on a PC system drives and attached network drives.
It uses very strong hybrid encryption with a large key. When the ransomware virus encrypts a file, it will add the [firstname.lastname@example.org].aleta extension to each encrypted file. Once the ransomware virus finished enciphering of all personal files, it will create a file named “!#_READ_ME_#!.inf” with tutorial on how to decrypt all documents, photos and music.
Table of contents
- What is email@example.com ransomware
- How to decrypt .[firstname.lastname@example.org].aleta files
- How to remove [email@example.com].aleta ransomware
- Restoring files encrypted with Aleta ransomware virus
- How to prevent your computer from becoming infected by Aleta ransomware infection?
- To sum up
The aleta ransomware virus offers to make a payment in Bitcoins to get a key to decrypt files. Important to know, currently not possible to decrypt .[firstname.lastname@example.org].aleta documents, photos and music without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can recover all photos, documents and music! If you do not want to pay for a decryption key, then you have a chance to restore encrypted personal files.
Use the step-by-step guide below to remove the ransomware virus itself and try to recover encrypted photos, documents and music.
What is email@example.com ransomware
Black.firstname.lastname@example.org (aleta) ransomware is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of Microsoft Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses long key to eliminate the possibility of brute force a key which will allow to decrypt encrypted files.
When the ransomware infection infects a machine, it uses system directories to store own files. To run automatically whenever you turn on your PC, aleta ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware infection scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.dba, .docx, .mpqge, .ptx, .zif, .dmp, .3dm, .odt, .wmv, .3ds, .xdl, .zdb, .itl, .mcmeta, .wsd, .xx, .qdf, .sis, .upk, .wpt, .raf, .wpe, .rtf, .rwl, .xpm, .vfs0, .big, .m3u, .p7c, .xf, .esm, .odb, .sum, .crt, .litemod, .flv, .fos, .zip, .orf, .xlsb, .wps, .png, .apk, .pfx, .wri, .rar, .lrf, .wps, .pem, .dng, .der, .x, .avi, .snx, .wma, .jpg, .zdc, .webdoc, .wmf, .docm, .ws, .mdb, .rw2, .3fr, .doc, .d3dbsp, .hkx, .wdb, .x3f, .asset, .wav, .dxg, .xlsm, .zi, .db0, .pak, .syncdb, .gho, .vpk, .2bp, .wmv, wallet, .py, .cdr, .ysp, .wma, .tor, .dwg, .pst, .sql, .layout, .wbd, .t13, .xlsm, .map, .vcf, .0, .pkpass, .iwi, .dazip, .rgss3a, .bc7, .hvpl, .wsc, .ztmp, .7z, .bsa, .csv, .wp5, .mddata, .pef, .xmind, .xlsx, .raw, .sie, .sidn, .vdf, .w3x, .bkf, .xar, .wmd, .cr2, .xls, .kdb, .y, .xy3, .xbplate, .das, .mov, .mlx, .vpp_pc, .bik, .1st, .srf, .wm, .wb2, .wotreplay, .hkdb, .dbf, .psk, .wire, .xml, .rb, .sr2, .cer, .wcf, .nrw, .mef, .wbk, .tax, .dcr, .pptx, .wdp, .re4, .wmo, .wpd, .wpb, .x3d, .bar, .itdb, .sid, .svg, .1, .hplg, .m4a, .odm, .eps, .ntl, .webp, .sav, .xwp, .wot, .kdc, .yal, .wp6, .x3f, .wp4, .wpl, .zabw, .ppt, .wpg, .wbmp, .kf, .xlgc, .bc6, .erf, .cas, .mdbackup, .t12, .ybk, .qic, .arw, .r3d, .xbdoc, .jpeg, .zw, .js, .icxs, .z, .xmmap, .menu, .p12, .desc, .xyw, .mrwref, .lbf, .jpe, .pdd, .rim, .wp, .xdb, .xls, .iwd, .blob, .xlk, .itm, .crw, .bkp, .m2, .mp4, .wsh, .wp7, .lvl, .css, .wbc, .wn, .txt, .pdf, .vtf, .rofl
Once a file is encrypted, its extension replaced to [email@example.com].aleta. Next, the ransomware creates a file called “!#_READ_ME_#!.inf”. This file contain guide on how to decrypt all encrypted files. An example of the tutorial is:
Your important files produced on this computer have been encrypted due a security problem[FREE DECRYPTION AS GUARANTEE]
If you want to restore them, write us to the e-mail: firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Before paying you can send to us up to 3 files for free decryption.[HOW TO OBTAIN BITCOINS]
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
The easiest way to buy bitcoin is LocalBitcoins site.[ATTENTION]
You have to register, click Buy bitcoins and select the seller
by payment method and price
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours – your key has been deleted and you cant decrypt your files
The aleta ransomware infection actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a threatening message on the desktop. It is trying to force the user of the infected system, do not hesitate to pay a ransom, in an attempt to recover their documents, photos and music.
How to decrypt .[email@example.com].aleta files
Currently there is no available method to decrypt [firstname.lastname@example.org].aleta files. The virus repeatedly tells the victim that uses a strong encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the aleta ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the aleta ransomware infection, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware infection.
How to remove [email@example.com].aleta ransomware
The aleta virus can hide its components which are difficult for you to find out and delete completely. This may lead to the fact that after some time, the ransomware virus again infect your PC and encrypt your documents, photos and music. Moreover, I want to note that it’s not always safe to get rid of ransomware virus manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best way to detect and delete aleta ransomware is to run free malicious software removal software that are listed below.
Scan and free your computer of Aleta with Zemana Anti-malware
We recommend using the Zemana Anti-malware. You can download and install Zemana Anti-malware to detect and delete aleta ransomware from your computer. When installed and updated, the malware remover will automatically scan and detect all threats present on the computer.
Download Zemana anti-malware on your Microsoft Windows Desktop by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
When the download is done, close all applications and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as displayed in the following example.
When the installation begins, you will see the “Setup wizard” that will help you install Zemana anti-malware on your computer.
Once install is finished, you will see window as shown in the figure below.
Now click the “Scan” button to begin scanning your computer for the aleta ransomware infection and other known infections. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. During the scan it’ll detect all threats present on your PC.
When it has finished scanning, it’ll open a scan report. In order to remove all items, simply click “Next” button.
The Zemana Anti-malware will start removing aleta ransomware infection related files, folders and registry keys.
Remove [firstname.lastname@example.org].aleta ransomware with Malwarebytes
You can delete aleta ransomware virus automatically with a help of Malwarebytes Free. We suggest this free malware removal tool because it may easily remove ransomwares, ad supported software, PUPs and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes by clicking on the following link.
Category: Security tools
Update: May 12, 2017
When downloading is done, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown in the following example.
When the setup begins, you will see the “Setup wizard” which will help you install Malwarebytes on your computer.
Once installation is finished, you will see window like below.
Now click the “Scan Now” button to perform a system scan for the aleta ransomware infection and other trojans and dangerous software. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. While the program is checking, you can see how many objects it has identified as threat.
As the scanning ends, it’ll open a list of all threats found by this utility. Review the report and then click “Quarantine Selected” button.
The Malwarebytes will begin removing aleta ransomware virus related files, folders, registry keys. Once disinfection is finished, you may be prompted to reboot your PC system.
The following video explains step-by-step guide on how to remove ransomware and other malicious software with Malwarebytes Anti-malware.
Scan and free your computer of ransomware with KVRT
KVRT is a free removal utility that can be downloaded and use to delete viruses, ad supported software, malware, potentially unwanted software, toolbars and other threats from your machine. You may use this tool to scan for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) from the following link and save it directly to your MS Windows Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
When downloading is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for scanning your machine for the aleta virus and other known infections. This procedure can take some time, so please be patient. While the utility is scanning, you can see number of objects it has identified either as being malicious software.
When it has complete scanning, it will open a list of all items found by this utility as shown in the following example.
Make sure all dangerous entries are ‘selected’ and click on Continue to start a cleaning task.
Restoring files encrypted by Aleta ransomware
In some cases, you can restore files encrypted by aleta virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Recover .[email@example.com].aleta files with ShadowExplorer
In some cases, you have a chance to restore your photos, documents and music which were encrypted by the aleta virus. This is possible due to the use of the tool called ShadowExplorer. It is a free application which created to obtain ‘shadow copies’ of files.
Download ShadowExplorer from the link below. Save it on your MS Windows desktop or in any other place.
Category: Security tools
Update: February 12, 2016
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Double click ShadowExplorerPortable to start it. You will see the a window like below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed below.
Use PhotoRec to recover .[firstname.lastname@example.org].aleta files
Before a file is encrypted, the aleta ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore applications such as PhotoRec.
Download PhotoRec from the link below. Save it on your MS Windows desktop or in any other place.
Category: Security tools
Update: March 23, 2016
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as displayed on the image below.
Choose a drive to recover as displayed below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown in the figure below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown in the figure below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your computer from becoming infected by Aleta ransomware?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your system from [email@example.com].aleta virus
Download CryptoPrevent from the link below.
Run it and follow the setup wizard. Once the install is done, you will be shown a window where you can choose a level of protection, as displayed below.
Now click the Apply button to activate the protection.
To sum up
After completing the step-by-step tutorial outlined above, your PC should be clean from aleta ransomware infection and other malware. Your machine will no longer encrypt your personal files. Unfortunately, if the step-by-step instructions does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- When it has finished scanning your personal computer, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the firstname.lastname@example.org virus.