{
	"id": "2138a7c2-dc25-4fc5-b4d3-8a6084990055",
	"created_at": "2026-04-06T00:21:48.725901Z",
	"updated_at": "2026-04-10T13:11:27.640098Z",
	"deleted_at": null,
	"sha1_hash": "f2789d25aec38632e0160c9b117b7dd1d1d5ca4d",
	"title": "An Introduction to AlphaLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1282343,
	"plain_text": "An Introduction to AlphaLocker\r\nBy Jim Walter\r\nArchived: 2026-04-05 15:09:14 UTC\r\nIt is always a treat, as a malware researcher, to come across something new and unique, and to then follow the\r\nresulting rabbit hole as far as you can go. I believe most of us in the cybersecurity industry enjoy that particular\r\npart of the puzzle, especially when you are able to fully trace the origin of a novel artifact or binary. Starting with\r\na single random file, and ending up with a broad picture of the economy behind that malware is highly satisfying\r\nand often eye-opening.\r\nWhich brings us to yet another family of ransomware – AlphaLocker.  \r\nIntroducing AlphaLocker\r\nThis family of ransomware is directly purchased from the author via the Internet. The buyer can then choose to\r\nhost/spread/distribute it in whatever way they see fit - as opposed to some of the more recent turn-key offerings\r\nlike Ransom32, ORX-Locker, or Encryptor RAAS, which lack a full administrative panel and other customization\r\nfeatures present in a fully packaged malware ‘kit’.\r\nThis is an interesting example to highlight for a couple of reasons. First and foremost, AlphaLocker is cheap\r\ncompared to other types of ransomware. The first versions began to appear in March 2016, priced at only $65\r\nUSD, paid via Bitcoin.\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 1 of 18\n\nFigure1: AlphaLocker Advertising\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 2 of 18\n\nFigure 2: More AlphaLocker Advertising\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 3 of 18\n\nFigure 3: Still More AlphaLocker Advertising\r\nFor that low price you get your own unique copy of the main executable (the actual ransomware), the master\r\ndecryptor binary (based onHidden Tear), and your own administrative panel instance. Hosting, spreading, and\r\nother typical ransomware services are then left to the buyer.\r\nThe lower price point allows ‘less-skilled’ ne'er–do–wells to possess and control (and profit from) ransomware,\r\nwith little to no coding and zero ramp-up time. \r\nSample Review\r\nAlso of note is the fact that the author(s) of AlphaLocker are continually generating updates to evade\r\ndetection by traditional signature-based AV technologies. While that practice is absolutely the norm\r\namongst malware authors, it never ceases to amaze just how easily the bad guys are able to keep up the\r\nevasion, staying one step ahead of signature-based detection technologies.\r\nIn reviewing a handful of AlphaLocker samples via a popular multi-engine sample-scanning site, most of\r\nthe samples were only detected by between zero and nine out of 56 AV vendors. In one example, the\r\nAlphaLocker binary was compiled on 4/17/2016 and submitted to the sample-scanning site that same day,\r\nshowing a 9/56 detection ratio. Upon a rescan 12 days later on 4/29/2016, the detection rate for that exact\r\nsame sample was still only 22/56.\r\nWorryingly enough, some of those detections are based on the respective vendors’ cloud-based detection\r\nmechanisms. In other words, if you take away connectivity to said service, that product would cease to\r\ndetect as well.\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 4 of 18\n\nWe will cover detections with CylancePROTECT® further down in this blog, in order to illustrate how our\r\nartificial intelligence based approach stops malware dead pre-execution, without the need for signatures,\r\nprior knowledge of the sample, cloudy heuristics, frequent updates, and so on.\r\nThere is another critical point worth mentioning here. AlphaLocker is based on the Eda2 project, by Utku\r\nSen. This was an ‘open source’ ransomware project that, until recently, was openly available via Utku’s\r\ngithub. In January 2016, the source was pulled by Utku in response to the code being used in real attacks\r\n(and the data could not be recovered via a built-in backdoor). This is a CRITICAL point. Not only is the\r\nbehavior blatantly and contextually malicious, but the actual source code is public and easy to find.\r\nAgain, there is no reason why any reputable AV product should fail to detect this ransomware.\r\nUnfortunately, most are still failing.\r\nDelving Deeper\r\nBefore we explore this detection piece further, I’d like to walk you through the full AlphaLocker service,\r\nincluding the admin panels and specifics on the ransomware binaries themselves. During our analysis here\r\nat Cylance, we were able to get a rare and close glimpse into the AlphaLocker ecosystem. Sometimes we\r\nluck out and get to take careful advantage of silly oversights on the part of the ‘bad guys’. In this case, we\r\nwere able to find more than one active C2, where the initial config files were still present - in this case,\r\ninstall.php.\r\nAll of AlphaLocker’s configuration and support files are unencrypted and in English, while the author(s)\r\nappear to be Russian (based on data contained in some of the panel files, as well as the particular forums in\r\nwhich the ransomware is advertised). \r\nAll of the included configuration and supporting files are shown below:\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 5 of 18\n\nFigure 4: AlphaLocker C2 Panel Root 1\r\nThe included README file covers full installation, including setup of the panel itself (PHP modules,\r\ndependencies, etc.) as well as setup of the BTC-based payment system:\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 6 of 18\n\nFigure 5: AlphaLocker README 1\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 7 of 18\n\nFigure 6: AlphaLocker README 2\r\nFigure 7: AlphaLocker README 3\r\nThe admin panel credentials AND the MySQL root credentials are stored, in plain text, within db.php in the\r\nserver’s root:\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 8 of 18\n\nFigure 8: AlphaLocker db.php\r\nAlphaLocker’s admin login panel can be reached via login.php:\r\nFigure 9: AlphaLocker Panel 1\r\nUpon login, infected and encrypted hosts can be viewed and managed by the buyer. Stats and various\r\nmaintenance settings are available as well. \r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 9 of 18\n\nFigure 10: AlphaLocker Panel 2\r\nFigure 11: AlphaLocker Panel 3\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 10 of 18\n\nFigure 12: AlphaLocker Panel 4\r\nThe Malware\r\nThe actual ransomware executables for AlphaLocker are rather straightforward, given the EDA2\r\nfoundation. Files are individually encrypted with their own unique key (AES). AES keys are RSA-encrypted via a keypair stored in the local MySQL DB and posted to the C2. In general, for most EDA2-\r\nbased malware, the flow is similar to the following:\r\n1. 1. The executable sends a POST request to the C2, which contains the unique ID for the victim.\r\n2. 2. The C2 creates the public/private RSA (2048) keypair, and sends the public key to the main\r\nransomware executable. The private key remains stored in the DB.\r\n3.\r\n3. A random AES key is generated (per file).\r\n4.\r\n4. The ransomware executable encrypts each file with the newly generated AES key.\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 11 of 18\n\n5.\r\n5. The AES key is encrypted with the RSA public key, and is then sent to the C2 via POST.\r\nThe samples we tested also modify the desktop background on the victim/host’s computer. A common\r\nthread across the EDA2-based threats is the hosting of background images on imgur.com. \r\nThe affected encrypted file types can vary across samples. The individual buyer of the ransomware has the\r\nchoice of file types to support. The default set of files, which will be encrypted across all available drives is\r\nas follows:\r\n.asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt,\r\n.pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd,\r\n.php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val,\r\n.wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum,\r\n.rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais,\r\n.amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc,\r\n.odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx,\r\n.dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft,\r\n.pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv,\r\n.puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx,\r\n.zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms,\r\n.crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf,\r\n.h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr,\r\n.sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd,\r\n.cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic,\r\n.cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb,\r\n.pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf,\r\n.upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp,\r\n.dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc,\r\n.pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla,\r\n.xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std,\r\n.ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd,\r\n.wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2,\r\n.r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif\r\nExample: http://i.imgur.com/(xxxxx).jpg (where xxxxx is a random string of letters).\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 12 of 18\n\nFigure 13: Background Image Direct 1\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 13 of 18\n\nFigure 14: Background Image Direct 2\r\nAlphaLocker is not the only family of ransomware pulling their wallpaper from imgur.com in this fashion.\r\nAnother EDA2-based kit known as SkidLocker does the same:\r\nFigure 15: SkidLocker Background 1\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 14 of 18\n\nSkidlocker strings show the hosting of the image as follows:\r\nhttp : //23.227.199.175/createkeys.php\r\nhttp : //23.227.199.175/getamount.php\r\nhttp : //23.227.199.175/savekey.php\r\nhttp : //23.227.199.175/update.php\r\nhttp : //23.227.199.175/finished.php\r\nhttp : //23.227.199.175/exception.php\r\nhttp : //i.imgur.com/By3yCwd.jpg\r\nhttp : //23.227.199.83/Decrypter.exe \r\nUpon infection and subsequent encryption of files, the victim is provided with a simple text file with\r\ninstructions on how to pay the ransom. Key.php is typically hosted on the same C2 server, and the victim’s\r\nunique ID is passed to key.php as a parameter:\r\nFigure 16: AlphaLocker Ransom Note (README Notepad File)\r\nWhen the victim browses to the assigned URL, they will see the following BTC payment interface:\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 15 of 18\n\nFigure 17: AlphaLocker BitCoin Payment page\r\nSo, as far as EDA2-based ransomware goes, AlphaLocker sticks close to default. \r\nCylancePROTECT vs. AlphaLocker\r\nMoving onto detection, we gathered multiple samples of AlphaLocker from a variety of sources and pitted\r\nthem against CylancePROTECT. CylancePROTECT detected and prevented 100% of the AlphaLocker\r\nsamples tested:\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 16 of 18\n\nFigure 18: CylancePROTECT Minimized View, Showing Quarantined AlphLocker\r\nFiles\r\nFigure 19: CylancePROTECT Console View\r\nHashes (SHA256)\r\n2f5ffe7e3cb425899daa815145112297b4cb1e712835e997ef64518efa212754\r\n59fedb6129a1846f8bf3ba7717d87dd17f9f6ebf5c2089bb17cb766f67219c56\r\nb897f9ba657522028c38ba260da17c58c8f75e4e7faca75e681f4c4cb60b90c9\r\nea33d7c7948a02f40f7c2531379bf0046e1d45b5d2b9bf4d9de88b77476f1600\r\n51553d1a41bff49fa871269f232bba5f5567f34071ebd133b677bffedc26c90f\r\ne445f412f92b25f3343d5f7adc3c94bdc950601521d5b91e7ce77c21a18259c9\r\nConvinced that the next generation of endpoint security is right for your organization? Contact a Cylance\r\nexpert to get started!\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 17 of 18\n\nSource: https://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nhttps://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html\r\nPage 18 of 18\n\n.asf, .pdf, .xls, .docx, .pptx, .docm, .xlsm, .xlsx, .mp3, .pps, .ppsx, .waw, .jpg, .jpeg, .ppd, .eps, .png, .txt, .rtf, .doc, .ace, .djvu, .tar, .rar, .zip, .cdr, .max, .psd, .tif, .wma, .wmv, .avi, .gif, .bmp, .wav, .mp4, .ppt, .pdd,\n.php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val,\n.wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum,\n.rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais,\n.amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc,\n.odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx,\n.dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft,\n.pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv,\n.puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx,\n.zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms,\n.crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf,\n.h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr,\n.sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd,\n.cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic,\n.cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb,\n.pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf,\n.upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp,\n.dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc,\n.pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla,\n.xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std,\n.ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd,\n.wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2,\n.r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif   \nExample: http://i.imgur.com/(xxxxx).jpg  (where xxxxx is a random string of letters).  \n   Page 12 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html"
	],
	"report_names": [
		"an-introduction-to-alphalocker.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2789d25aec38632e0160c9b117b7dd1d1d5ca4d.pdf",
		"text": "https://archive.orkl.eu/f2789d25aec38632e0160c9b117b7dd1d1d5ca4d.txt",
		"img": "https://archive.orkl.eu/f2789d25aec38632e0160c9b117b7dd1d1d5ca4d.jpg"
	}
}