Crypt888 ransomware. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

Authors of the Crypt888 virus continue updating the ransomware

Crypt888 virus

Crypt888 is a file-encrypting virus that has been updated numerous times. Different variants of it aimed at various European countries and demanded to pay several hundreds of dollars for data recovery software. On July 2017, a new variant named as Zuahahhah has emerged. Fortunately, it is decryptable.

The analysis reveals that all these different virus versions feature very slight changes (speaking of the source code); however, each version provides a different user interface and language of communication [1].For instance, one of the variant addresses its victims in Portuguese [2]. This ransomware strain initially comprises Aviso and MIRCOP ransomware, but new ransomware versions appear one after another.

Since Crypt888 decryption tool is already available, we assume that cyber criminals are trying to confuse victims and make them search the web for information about Petya ransomware, which cannot be decrypted using any free tools at the moment.

Most likely criminals expect to convince victims to pay the ransom by pretending to be a different virus. However, instead of improving the weak malware code, virus authors decide to employ fraudulent techniques and tell tales in the ransom note.

One of the newest virus versions targets Czech-speaking computer users, encrypts files and just like the previous versions, adds Lock. to the beginning of the original filename. For instance, a picture.jpg becomes Lock.picture.jpg. The virus asks to pay 0.8 BTC (584 USD) as a ransom to get a decryption tool, but the amount of the ransom is different in every ransomware version. For instance, the latest variant demands around 2000 USD for the access to the files.

Of course, you shouldn’t pay it, because it is possible to recover encrypted files for free. Scroll down to see Crypt888 removal instructions and find data recovery guide.

The variants of Crypt888 ransomware

MIRCOP ransomware. The initial version of the discussed ransomware virus used to set a black wallpaper with a picture of the Anonymous mask on it, accompanied by a short note stating the conditions for data recovery. The virus states that the victim “has stolen 48.48 BTC from the wrong people” and now needs to return them, and attempts to threaten the victim with a line “don’t take us for fools, we know more about you than you know about yourself.” You should not believe in such ridiculous threats and remove Crypt888 malware as soon as possible. [3]

Aviso ransomware. Aviso virus is a Brazilian version of this ransomware, which commands victims to contact criminals via informacaoh@gmail.com after paying a ransom worth 2000 Brazilian reals. The virus also adds Lock. prefix to encrypted data, and these files can be recovered for free using Crypt888 decryptor. This version does not differ from the previous ones except of the ransom note it sets as the desktop wallpaper.

The Italian version of Crypt888. Little information is available about the Italian version of this virus, however, according to malware researchers, this virus replaces victim’s desktop wallpaper with an image containing hacker’s manifesto words. The virus does not leave readme.txt (italian version: LEGGIMI.txt) file on the system, therefore, the victim is left without no information on how to restore encrypted data. This version showed up right after a suspicious ransomware variant that used to set “marked graphics” logo on the desktop. Since this particular version provided no decryption instructions or contact address, we assume that it was a test version.

The Portuguese version of the virus which has been spotted by the experts in November, 2016 uses different lock screen but its black and red design it similar to the previous Crypt888 versions. Since most security blogs have already warned the users about the Crypt 888 pretending to be a version of Petya ransomware 2017, the hackers have switched to other ransomware — the Locky virus. The lock screen now states that the user is infected with the “Locky ransomware” and the users have only 36 hours to pay the demanded ransom before their files are permanently destroyed. Please note, that you can still use the Crypt888 decryptor for this variant and fix your computer without paying the ransom or losing your files.

At the end of February 2017, Crypt888 emerges with a version that adds Lock. prefix to encrypted files. This version doesn't provide any information about recovery methods, leaves no contact details, and basically, does not provide any information regarding data recovery. It doesn't even ask for ransom – it simply corrupts files, and that is it. This virus' version changes desktop's wallpaper with a picture of beach view. To recover your files, use the Crypt888 decryptor by Avast.

Zuahahhah ransomware virus. On July 2017, the virus has been updated one more time. The latest version of crypto-malware changes affected computer’s desktop to the message saying that due to the virus infection, passwords, email accounts, and files stored on the computer might be lost. According to the virus analysis, the virus might be capable of deleting files. However, you should not wait for it to happen and just remove Zuahahhah from the device. Once it’s done, you should be able to restore files with Crypt888 decryptor.

Cyber criminals spread ransomware using multiple techniques 

Crypt888 scam is mostly spread via malicious ads, email spam, and also with the help of exploit kits [4]. In general, these are the most efficient and popular ransomware dissemination techniques used by almost every ransomware developer.

Distribution of this infection is still based on catchy-looking ads, guileful email letters, and technologies that exploit security vulnerabilities in victim’s computer. If user’s computer is unprotected, there are hardly any chances to survive Crypt888 or similar ransomware attack, especially if the victim tends to click on eye-catching content without estimating the potential danger that lies behind it.

In such case, the only way to save your data is to have a backup. Unfortunately, not many computer users understand the importance of backups [5], so when ransomware infects their computers, in most cases they have no choice but to say goodbye to their personal files.

Wipe out Crypt888 virus from the computer automatically

We suggest using automatic Crypt888 removal tools because it is the safest way to remove malware, infectious files, and unwanted registry keys from the computer system.

It is highly recommended not to try to remove Crypt888 virus manually because, despite its foolish source code, it is still a dangerous program. Leaving one or two files that belong to it can have disastrous consequences later on. Please delete the virus carefully – follow instructions we have prepared for our visitors and get rid of the ransom-demanding virus.

You can decrypt files locked by this virus using a special decryption tool (download link provided below).

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Crypt888 ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Crypt888 ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Crypt888 virus Removal Guide:

Remove Crypt888 using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Delete Crypt888 malware from the system with a help of this guide. Then proceed to data recovery guide.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Crypt888

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Crypt888 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Crypt888 using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Crypt888. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Crypt888 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Crypt888 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Crypt888, you can use several methods to restore them:

Use Crypt888 decryptor

Good news for victims who have their computers infected with this hideous computer program – you can recover absolutely all files marked with Lock. prefix for free. Simply uninstall the virus and use this decryption tool then.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Crypt888 and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References


  • Ramsey

    Trying to pose as Petya… fools

  • lya_chan

    Im so glad its not the real petya. I have recovered all of my files. Thank you so so much!

  • JohnWick

    This little nasty ransomware has scared the hell outta me…

    • bling29

      same here. But that relief you get when you discover that your files can be decrypted 😛 doeee