Remove Crypto888 Ransomware

I wrote this article to help you remove Crypto888 Ransomware. This Crypto888 Ransomware removal guide works for all Windows versions.

Crypto888 ransomware is a win-locker virus which appears to be a new variant of Petya ransomware. The developers of the clandestine program have given a small clue about their identity. According to the ransom note, Crypto888 ransomware has been developed by a unit of Czech and Russian hackers. The malevolent program targets 196 file types, including the following: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .asp, .aspx, .html, .txt, .pdf, .sql, .cer, .sln, .ini, .dat, .rar, .zip, .rtf, .bdf, .bkp, .csv, .iff, .exif, .ai, .avi, .wmv, .mp4, .mov, .mpg, .mpeg, .asf, .flv, .mkv, .dng, .wps, .eml, .arw, .js, .bat, .lnk, .pak, .m4a, .m3u, .mp3, .wav, .wma, .flac, .mid, .ogg, .sct, .eps, .mkv, .xml, .mdb, .db, .tif, .tiff, .bmp, .png, .psd, .jpg, .jpeg, .gif, .pfx, .qic, .wsc, .crw, .php, .reg, .ps1, .vb, .raw, .odt, .bin.

Research has revealed that Crypto888 ransomware applies a combination of AES and RSA encryption algorithms. The AES cipher renders files inaccessible, while the RSA technology generates a unique private key for decrypting them. The hackers store the key on a remote command and control (C&C) server. To provide it, they demand a payment of 0.8 bitcoins. According to the current exchange rate, this amounts to $598.49 USD. The bitcoin address is listed in the ransom note. The hackers claim that the only way to recover your data is with the key which only they can provide. You will recognize the corrupted files by the extension the win-locker has appended to their names. Crypto888 ransomware adds the .lock suffix to mark the encrypted items. Another sign is that their original icon will be gone and they will be listed as an unfamiliar file format.

Remove Crypto888 Ransomware
The Crypto888 Ransomware

Crypto888 ransomware gives people 5 days to complete the payment. Upon doing so, the person must send a confirmation email to notify the cyber thieves that the sum has been paid off. The account they use to correspond about the payment is It is also used to answer people’s inquiries. We do not advise users to pay the ransom. Making a deal with hackers is a risky move. There is no guarantee that they would provide the decryption key upon receiving the sum. They can collect the ransom and leave your files as they are. Even if your data does get restored, there is still a chance of a future attack. Viruses like Crypto888 ransomware can leave behind entries, meant to install them again at a future point. The only sure way to delete the win-locker is with an anti-virus program.

Crypto888 ransomware utilizes a couple of propagation vectors. The most common way to have your system infected with the win-locker is through a spam email. The malignant program hides behind an attachment. The file will be described as an important document, like a recommended letter, a receipt for a delivery package, a bank statement, an invoice, a notification from a social network, a subpoena from the court or another piece of documentation. The sender behind the fake message will introduce himself as a representative of a reliable company or institution to make the letter look convincing. He can copy the contacts and logo of the organization in question. Spammers write on behalf of different entities, including the national post, courier firms, shopping platforms, social networks, banks, district courts and local police departments. To proof the reliability of a given email, check the contacts. They should match the coordinates of the entity the sender states to be representing.

The other way for Crypto888 ransomware to penetrate your system is through the bundling technique. This method requires the win-locker to find a host which we will refer to as a download client. Many programs can serve this purpose. In most cases, Crypto888 ransomware gets spread through freeware and shareware. Pirated programs are also an option. The insidious program gets included in the terms and conditions of the download client as a bonus tool. The option to have the additional tool installed will be selected per default. You have to locate where it is listed and remove the check mark from the box. Make sure to read the end user license agreement (EULA) of the software you intend to install to your PC. It is advised to choose the custom or advanced installation mode to have all options shown.

Crypto888 Ransomware Uninstall

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Crypto888 Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Crypto888 Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.