Crypt888 Ransomware Virus (Removal Steps and Protection Updates)

First detected in June 2016 and also known as Mircop, Crypt888 ransomware now has been spotted to have new distribution campaign that targets Brazilian users. The crypto virus has gone through some changes and now uses redesigned ransom message and picture in order to find new victims. It locks victims’ files and prepends the string ‘Lock.’ to the file names. The information provided in this article gives a detailed picture of Crypt888 malicious activities and grants help for the complete removal of the threat. Afterward victims’ could decrypt all encrypted files without paying the ransom.
Manual Removal Guide
Recover Crypt888 Ransomware Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.

DOWNLOAD Crypt888 Ransomware Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

How Does Crypt888 Ransomware Infiltrate the System?

As we mentioned, it seems that the latest distribution campaign of Crypt888 crypto virus targets Brazilian users. It could be masked in malicious ZIP archive attached to an email that once extracted on the computer may start the infection of the ransomware. The email may pretend to be sent from a legit source like Microsoft, PayPal, Your Bank, Medical institution, etc. All users should beware before opening tricky emails. Prevention is possible by having enabled spam filter or disabled macros of Microsoft Office products.

The ransomware infection may also be distributed via malicious redirect links to compromised websites. The bad links may be presented on social media sites. Another possible way of distribution is through file sharing services.

Security experts advise having installed and up-to-date progressive anti-malware software for the best prevention.

Related: WinUpdatesDisabler Ransomware, RIP Ransomware

Infection Flow of Crypt888 Ransomware

Crypt888 ransomware has evolved, but the changes are focused primarily at user interfaces rather than making better its code. The distributors of this offensive threat have changed the ransom instructions several times providing them in different languages including English, Italian, Czech and now in Portuguese. Apparently, the analysis of the latest Crypt888 variant shows that the AutoIT script, the encryption algorithm, encryption key, the created files names, and various other components still be the same as in the previous versions.

In one of the earlier versions of the ransomware called Mircop attackers have provided Anonymous designed wallpaper. Then they have demanded a ransom of 48.48 Bitcoins, or close to $28,730.70.

Falling installation on victim’s computer Crypt888 may drop these three files in the %Temp% folder:

  • c.exe
  • x.exe
  • y.exe

Unlike the common ransomware mechanism, Crypt888 doesn’t append extension after the names of the encrypted files but prepends the string ‘Lock.’ instead. When this happens, it means that the files are encrypted with strong encipher algorithm and are unable to be opened by any program. Furthermore, the crypto virus may also be designed to lock some common folders like Downloads, Desktop, Documents, etc.

Besides file encryption Crypt888 may steal credentials from victim’s web browsers, messaging services and other accounts.

Crypt888 drops a file that is the picture of its ransom note and replaces it with the current desktop wallpaper. The new ransom note of Crypt888 starts with the word “AVISO” which is in Portuguese and means “Warning” in English. The depicted text on the ransom note reads:

“ AVISO
Ola Sr(a),
TODOS os seus arquivos foram BLOQUEADOS e esse bloqueio somente serão DESBLOQUEADOS
caso pague um valor em R$ 2000,00 (dols Mil reais) em Bitcoins
Apos o pagamento desse valor, basta me envair um print para o email…
[email protected]
que estarei lhe enviando o programa com a senha para descriptografar/desbloquear o seus arquivos,
Caso o pagamento nao seja efetuado, todos os seus dados serao bloqueados
permanentemente e o seu computador sera totalmente formatado
(Perdendo assim, todas as informacoes contidas nele, incluindo senhas de email, bancarias…)
O pagamento devera ser efetuado nesse endereco de Bitcoin:
1LaHiL3vTGdbXnzyQ9omsYt8nFkUafXzK4
Para converter seu saldo em bitcoins acesse o site:
https://www.mercadobitcoin.com.br/conta/register/”

The malicious intenders behind Crypt888 virus harass victims to pay $ 2,000.00 in Bitcoins in order to send back a decryption key for the ‘Lock.’ files. Otherwise, they intimidate that they will block all data permanently and the computer will be completely formatted.

We notice that there is no provided name of the threat in the ransom note which is yet another attempt to trick users hit by Crypt888 that they have been infected with decryptable ransomware. In fact, the security specialists from AVG have developed a free decryption tool that allows all victims to decode the ‘Lock.’ files. So don’t be panic just keep reading the information we provided and save yourselves completely from Crypt888 ransomware that has encoded all your files making them looking like this one:

chaned-name-of-file-encrypted-by-crypt888-ransomware-prefix-lock

A newer iteration of the Crypt888 ransomware has been found to spread in June 2017. It adds a new wallpaper with red background and black letters that reads the following message:

YOU ARE HACKED

ALL YOUR PERSONAL FILES HAVE BEEN ENCRYPTED!

IF YOU WANT RESTORE YOUR DATA YOU HAVE TO PAY!

CONTACT US: [email protected]

REMEMBER! YOU CAN’T RESTORE YOUR FILES
WITHOUT OUR DECRYPTOR!!!!!!!!!!!!!!!!!!!!

Crypt888 ransomware image

In comparison with other versions of the Crypt888 virus it adds a prefix to the affected files titled “Lock”. No ransomware note is crafted which makes the virus even more dangerous. The victims have no way of knowing who is responsible for the damage.

This is the reason why proactive defence is very important. Using a quality anti-spyware solution can prevent and remove all malware infections.

Remove Crypt888 Ransomware and Restore Data

WARNING! Manual removal of Crypt888 Ransomware requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

DOWNLOAD Anti-Malware Tool

 
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Crypt888 Ransomware – Manual Removal Steps

Start the PC in Safe Mode with Network

This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.

1. Hit the WIN Key + R

2. A Run window will appear. In it, write msconfig and then press Enter

3. A Configuration box shall appear. In it Choose the tab named Boot

4. Mark Safe Boot option and then go to Network under it to tick it too

5. Apply -> OK

Show Hidden Files

Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.

1. Open My Computer/This PC

2. Windows 7

    – Click on Organize button
    – Select Folder and search options
    – Select the View tab
    – Go under Hidden files and folders and mark Show hidden files and folders option

3. Windows 8/ 10

    – Open View tab
    – Mark Hidden items option

how to make hidden files visible in Windows 8 10 bestsecuritysearch instructions

4. Click Apply and then OK button

Enter Windows Task Manager and Stop Malicious Processes

1. Hit the following key combination: CTRL+SHIFT+ESC

2. Get over to Processes

3. When you find suspicious process right click on it and select Open File Location

4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process

5. Next, you should go folder where the malicious file is located and delete it

Repair Windows Registry

1. Again type simultaneously the WIN Key + R key combination

2. In the box, write regedit and hit Enter

3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable

4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Click for more information about Windows Registry and further repair help

Recover Crypt888 Ransomware Files

WARNING! All files and objects associated with Crypt888 Ransomware should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.

DOWNLOAD Crypt888 Ransomware Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

1. Use present backups

2. Use professional data recovery software

Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.

3. Using System Restore Point

    – Hit WIN Key
    – Select “Open System Restore” and follow the steps

restore-files-using-windows-system-restore-point

4. Restore your personal files using File History

    – Hit WIN Key
    – Type restore your files in the search box
    – Select Restore your files with File History
    – Choose a folder or type the name of the file in the search bar
    – Hit the “Restore” button

Preventive Security Measures

  • Enable and properly configure your Firewall.
  • Install and maintain reliable anti-malware software.
  • Secure your web browser.
  • Check regularly for available software updates and apply them.
  • Disable macros in Office documents.
  • Use strong passwords.
  • Don’t open attachments or click on links unless you’re certain they’re safe.
  • Backup regularly your data.
  • Gergana Ivanova

    Author : Gergana Ivanova

    Gergana Ivanova is computer security enthusiast who enjoys presenting the latest issues related to cyber security.


    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *