CryptoDevil Ransomware - How To Remove?

 

CryptoDevil crypto-virus was not always considered to be a file-encrypting infection. Before stepping onto the stage as a ransomware, it only functioned as a screen-locker which blocked users’ access to their devices. It was indicated as an especially nasty variant. It also demanded 20 US dollars in a form of bitcoins to be send to a hackers’ wallet. In the screen-locker, it was also explained that all files can be deleted in case people do not obediently send a seemingly low-priced fee. However, if your computer has been locked by CryptoDevil screen-locker, there is no reason to panic. Unfortunately, not the same thing can be said about the other version, which appears to be encrypting files and adding a .devil extension at the end.

Main aspects about CryptoDevil ransomware

CryptoDevil virus was first reported as a screen-locker that prevents computer devices from fully loading up. Victims are forced to stare at a red background with brief instructions, requiring them to send a letter to mutr0blackchat@gmail.com email address and find out to which bitcoin wallet the fee of 0.01852BTC has to be send. However, there is no reason to consider paying this relatively small fee for the recovery of your system. Security researchers have already cracked the codes of CryptoDevil screen-locker. All you have to do is enter “kjkszpj” in the blank section and this combination should make this screen-locker disappear.

Nevertheless, this is not the only variant which was detected to belong to mutr0 hackers. A more standard ransomware has been noticed to bother Internet users. Its fee for decryption fluctuates from 20 to 100 US dollars: the price depends on whether you pay immediately or take your time. After 10 hours the required amount will gradually increase, when finally, after 82hours, either the infected files or the decryption key gets deleted for good. The ransomware decrypter panel that gets loaded does not appear to be very informative. It states that all of the victim’s files have been ruined and the only way to restore them is to buy a decryption tool.

After clicking on the “About” section, users will be more appropriately introduced with a couple of essential aspects about CryptoDevil ransomware. One of them, that its creator is indicated to be mutr0, just as we have mentioned before. However, the email to contact the crooks is different from the one in the screen-locker variant: contactcryptodevil@gmail.com. In addition to that, there is a peculiar quote in this section: “Every human being has its fatal weakness and this fatal weak point is called social engineering”. After this statement, there follows a #EncryptTheWorld. We already explained that the infection does change filenames, but simply append .devil extension after its original one.

Recovering files that CryptoDevil ransomware has managed to viciously damage

For now, security researchers are yet to produce a functional decryption tool which would serve victims of CryptoDevil ransomware completely for free. However, even though paying 20 USD might seem like a small price to pay for a file-recovery, we do not think that it is such a good idea. Hackers do not have the best record when it comes to providing decryption keys. In most cases, crooks simply swindler money out of victims and leave them in despair. However, you should remember that storing files in backup storages is an highly recommended decision. Please consider it. If your files are already ruined by CryptoDevil virus, you should reboot your device in a Safe Mode, copy the encrypted data, remove the ransomware and try to restore files that have been ruined.

Transmission of CryptoDevil ransomware

CryptoDevil ransomware can be distributed in letters that allegedly address extremely important issues, but are actually fake. Before opening emails, you should always pay attention to their sender and determine whether it is reliable. Even if you do decide to open a letter, do not be eager to download attachments or follow links that it advises. Exploit kits also are noticed to help ransomware viruses spread. As for the removal of CryptoDevil ransomware, you should trust an anti-malware tool to remove malware from your device. If you wish to do it manually, you can follow instructions bellow, but we should warn you that ransomware can be difficult to eliminate. However, we have already indicated the way you can escape CryptoDevil screen-locker.

How to recover CryptoDevil ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before CryptoDevil virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of CryptoDevil screen-locker

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to CryptoDevil ransomware. You can check other tools here.


Step 3. Restore CryptoDevil virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptoDevil screen-locker tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptoDevil ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
March 21, 2017 00:28, March 21, 2017 00:28
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *