888 ransomware (Removal Instructions) - Decryption Steps Included

888 virus Removal Guide

What is 888 ransomware?

888 ransomware is one of many Dharma ransomware variants discovered in the same few weeks

888 ransomware virus888 ransomware is the cryptovirus that appends your important files with an extension with donald888@mail.fr email address which is the contact email for the developers. 888 ransomware is a cryptovirus that appends files after encryption using a .888 file marker. Jakub Kroustek is one of many researchers that constantly deliver new information about malware. Starting at the end of January Dharma ransomware released new variants one after the other and Kroustek reported about them all. More recent ones including 888 ransomware virus were ETH ransomware, Qwex ransomware, and Frend virus. All of them base their encryption on the AES algorithm and delivers ransom note in a matching pop-up window and also releases FILES ENCRYPTED.txt file with contact information. The particular name 888 comes from the full pattern of file extension – .[donald888@mail.fr].888. This appendix appears on every encoded file after the encryption and marks useless files. The ransom may differ from $500 to $1500 in Bitcoins, and we do not recommend paying this huge amount for questionable decryption tool.

Name 888 ransomware
Type Cryptovirus
Family Dharma ransomware
File extension .[donald888@mail.fr].888
Ransom amount $500-$1500 in Bitcoin
Contact email donald888@mail.fr
Encryption method AES or DES
Distribution method Infected email attachments
Elimination To remove 888 ransomware, use FortectIntego and scan the system

Since 888 ransomware virus is only one of handful versions discovered in a few weeks between the end of January and the start of February and it is not the first variant of Dharma we can easily state a few facts that unify all of these versions:

  • AES or DES encryption algorithms;
  • FILES ENCRYPTED.txt – ransom message including contact information;
  • program window with payment instructions;
  • minor changes from version to version.

888 ransomware and other versions got released almost at the same time, and it means that versions are not very different from each other and were only slightly altered. However, this is the family of crypto malware that was discovered back in 2016 and virus developers know what they are doing.[1]

Based on the ransomware family and the general facts about a cryptovirus category, you should focus on 888 ransomware removal and DO NOT think about paying or contacting cybercriminals. This solution cannot get you positive results because various statistics show that less than half of paying victims get their files back.[2]

888 ransomware as previous Dharma members delivers a window with step-by-step payment instructions and warnings like:

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

This is a common feature as well as the FILES ENCRYPTED.txt file that gets added to every folder on the computer and reveals a brief message containing the following text:

all your data has been locked us
You want to return?
write email donald888@mail.fr

Remember to remove 888 ransomware first, before any decryption attempts or plugging the external device with backups. Experts[3] advise using anti-malware programs for the process so that virus damage can be eliminated during the same system scan. We can suggest using FortectIntego but feel free to select another tool.

.888 file virus888 ransomware virus is one of many Dharma ransomware versions that displays the same payment instruction window since 2016.

Payload dropper initiates the launch of malicious script

Files containing this malicious script that triggers malware distribution gets spread on the internet, and this way targets people all over the world. Unfortunately, if the email appears on your system and you download the document attached, you risk getting ransomware or any other malware infection.

Once the infected file lands on your device and gets executed, the computer becomes infected with direct ransomware or trojans that spread around different threats. The malicious script needs to be executed, and you can trigger this by allowing the embedded content on a PDF or Word document, clicking the link provided in the email or its attachments.

Eliminate 888 ransomware and do it as soon as possible

As we mentioned, 888 ransomware virus is not a simple intruder that can easily be deleted manually or even found on the system. You need to scan the device entirely to find the payload files, associated programs or different data that affect the persistence of this virus.

You can easily remove 888 ransomware and its contents while scanning the machine with proper malware termination tools like FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes. Anti-malware programs improve the performance of your PC after this full scan because all useless files and applications can be deleted at the same time.

It is understandable that data recovery is your main concern but you need to focus on 888 ransomware removal, and only then any file restoring can be attempted. The best solution could be file backups on an external device or data recovery software.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of 888 virus. Follow these steps

Manual removal using Safe Mode

Restart the computer in Safe Mode with Networking, so 888 ransomware virus can be removed on your first try

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove 888 using System Restore

Try System Restore and recover the computer to the previous point by following:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of 888. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that 888 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove 888 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by 888, you can use several methods to restore them:

Use Data Recovery Pro as a file restoring method

Encrypted or accidentally deleted files can be restored using this program

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by 888 ransomware;
  • Restore them.

Windows Previous versions feature is a helpful function on a Windows operating system

However, you should enable System Restore before using this

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer helps for 888 ransomware encrypted files

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

There is no official decryption tool

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from 888 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions