Home / Definitions / Crypt888 Ransomware

Crypt888 Ransomware

Siji Roy
Last Updated May 19, 2022 2:00 am

Crypt888, also known as Mircop, is ransomware that encrypts files on desktops, downloads, pictures, and documents with RSA algorithms. The virus locks the encrypted files by prefixing them with the file extension “lock.” Once encryption is complete, the malware changes the victim’s desktop wallpaper and displays a ransom note to decrypt the files.

What Is Crypt888 Ransomware?

Crypt888 was first detected in 2016. Hackers use spam emails containing a .zip file or word document and file-sharing software to distribute the virus. The main purpose behind the Crypt888 attack is to make money, as it demands a ransom ranging between 0.8 and 48.48 Bitcoin to decrypt the files. Although the virus has introduced different variants over time, almost all variants look identical except in their user interface and communication language, and some of them are still alive.

Types of Crypt888 Ransomware

The variants of Crypt888 ransomware include the following:


Mircop is the initial version, and it’s used to change the desktop wallpaper with an anonymous mask on black background. A ransom note accompanies the change of wallpaper and states that the victim has stolen some money from the wrong people, and they need to return it. 


Aviso is a Brazilian version and is identical to Mircop in all aspects except language. Aviso demands a payment of 2,000 Brazilian reals to decrypt the files. Though the virus is dangerous, the encrypted files can retrieve by using the Crypt888 decryptor tool.

Crypt888 (Italian version)

Researchers hope that the Italian version of Crypt888 was a test version, as it is found rarely. The virus leaves no more information regarding encryption and payment.

Crypt888 (Portuguese version)

It’s a lock-screen variant that demands a payment within 36 hours to avoid permanent destruction of the victim’s files. However, victims can use the Crypt888 decryptor tool to encrypt files without paying the demanded ransom. 


The Zuahahhah version can delete email accounts and files in infected systems. Affected users should try to remove the virus from the computer as soon as possible and restore files with the Crypt888 decryptor.

[email protected]

The virus uses the [email protected] email address to contact victims and asks them to pay 0.8 BTC for decrypting files. A free decrypting tool is available for victims to decrypt the files encrypted by this version.

What Was the Impact?

Crypt888 focuses primarily on individuals and small- and medium-sized manufacturing companies in Brazil, Portugal, and Italy. These countries share similarities in language, culture, and industrial behavior that prompted attackers to focus on these victims as a collective group.

How Did the Attack Work? 

The Crypt888 virus infiltrates targeted systems through malicious emails containing a ZIP file that pretends to be sent from a reputed bank, medical institution, Microsoft, or other renowned company. When the user opens the file, the system automatically downloads an executable that uses Visual Basic Script developed by Microsoft to run the Crypt888 virus in memory.

After successful activation, the virus can begin to encrypt files and add Lock. to the file name. Then the virus changes the desktop wallpaper and displays a ransom note demanding a ransom in BTC to decrypt the files.

What Is the Cure for Crypt888 Attacks?

It’s highly recommended that victims of the attack not follow the hackers’ instructions on how to pay the ransom and decrypt their files. Use either automatic Crypt888 removal tools or follow one of the below methods to remove the virus:

What Can Users Do to Prevent a Crypt888 Attack?

Businesses and individuals must follow the best security measures to prevent ransomware attacks. Here are some important prevention steps:

Read next: Best Ransomware Protection Solutions