Remove CryptoDevil Ransomware And Decrypt .devil Files

Another version of CryptoDevil was released shortly after CryptoDevil screenlocker appeared. This time it actually has file encryption abilities, although still limited (the former version just locked the screen and falsely threatened to delete files).

This virus encrypts files only in the directory where it has been launched. It makes them unopenable and changes extensions to .devil. However, the limited behavior shows that it was most likely designed to simply scare users into paying the ransom rather than actually causing damage. It could also be under development and might become more dangerous in the future.

This virus displays a window named “Ransomware CryptoDevil” and still uses the same contact email [email protected]. It asks for a $20 BitCoin payment which increases if more time passes. The payment instructions are unclear at the moment but the ransomware states that “more instructions forthcoming”.

You should remove this ransomware from your computer immediately after you discover it in order to prevent further damage. It is also very important to secure your system with a proper antivirus in the future to prevent more dangerous threats. We have an automatic removal and protection tool which will eliminate the malware and protect your system. We also have a manual removal guide. However, you will still need to secure your computer afterwards if you choose this option.


Recommended Method: Download CryptoDevil Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is CryptoDevil ransomware?

This ransomware evolved from a simple screenlocker and seems to be still under development. The functionality is still limited although it actually started encrypting files while previously it only falsely threatened to do so. Currently only files in the same directory as CryptoDevil executable are in danger.

The malware has been created by a person behind a nickname mutr0. The code seems to be completely custom as it does not have any similarities to other ransomware families. At the moment this malware is not very sophisticated but it might improve, should it receive another update.

Encrypted files receive .devil extension and become unopenable. The ransomware then displays a window called “Ransomware Decrypter Panel“. It contains the following text:

CryptoDevil
Your Files Has Been Encrypted
All your files have been encrypted.
Buy a key to decrypt your files
more instructions forthcoming. - cryptodevil

The key prices are listed as follows:

Key Price Or After Hours
1. After 10 Hours Key Price = $20
2. After 24 Hours Key Price = $30
3. After 48 Hours Key Price = $50
4. After 72 Hours Key Price = $100
After 82 hours if you do not buy the key your files will be encrypted for the rest of your life.

The virus also includes a quote:

Every human being has its fatal weakness and this fatal weak point is called social engineering. 
#EncryptTheWorld

This quote suggests that one of the main distribution ways is social engineering: deceptive links, shared files and email attachments. The virus could also employ the tactic used by the previous version: bundling itself with other programs and downloads from torrent sites.

While the threats may seem scary at first sight, the program is still not very harmful and can be removed quite easily. We strongly discourage you from contacting or paying the creators. Instead, you should use a trusted antivirus software (e.g. the automatic tool provided above) and eliminate the threat. We have also prepared a manual removal guide as well as file recovery instructions. Remember that you need to eliminate the virus first before trying to recover files. Otherwise you might cause even more damage.

Here are some screenshots of the updated CryptoDevil ransomware:

   


 Manual Removal Instructions:

Step 1:

Input the following code that is set by the virus creator:

kjkszpj

This code should help you recover the files as well as close the warning screen. If it does not help try pressing ALT + F4 keys in order to close the lock screen.

After this you should simply use the automatic tool provided above and scan the system to remove the remaining vulnerabilities.

Otherwise you can continue following the manual guide as you will still have to remove the Trojan files in order to completely terminate the virus.

Step 2:

Clean up Windows temporary files.

Removing all temporary files is completely safe for your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

Simply select all files and folders displayed in the temporary files directory and delete them permanently by simultaneously pressing CTRL + A and then SHIFT + DELETE.

Step 3:

Use Windows search by clicking the start () and entering the following file name in the search field:

CryptoDevil.exe

Delete this file permanently by pressing SHIFT + DELETE simultaneously.

Repeat the search to make sure there are no more instances of this file left.

Then search for the following file as well:

ransomware.cryptodevil.exe

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries. Look specifically for “CryptoDevil.exe” as well as other similar files.

You will see locations of the files in “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious. Delete it if a threat is found.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Delete registry values created by this adware.

Press and hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

 

Search for virus entries by pressing keyboard buttons CTRL + F and entering the following:

cryptodevil

Click Find Next.

Delete any registry entries associated with the virus.

Repeat the search until all entries are cleaned.

Step 6:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for CryptoDevil ransomware file decrypter here: List of currently available decrypters. Currently there is no information that a decrypter has been developed by virus researchers but it might appear in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Karmen decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the CryptoDevil ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *