How to Remove Ransomware From Your Windows PC
Table of contents
- Warning signs of ransomware
- Encrypted files
- Scrambled file contents
- You’re locked out of your computer
- The web browsers have been locked
- How to get rid of ransomware
- Step 1: Record evidence of the attack
- Step 2: Immediately disconnect the infected device
- Step 3: Create a system backup
- Step 4: Disable any cleanup or system optimization software
- Step 5: Identify the type of ransomware
- Step 4: Remove ransomware
- Step 5: Recover your hidden or encrypted files
- How did my PC get infected?
- Should I pay the ransom?
- How to decrypt files encrypted by ransomware?
- Avoid falling victim to ransomware
A ransomware attack is much like kidnapping, except the criminals hold your digital files and personal information hostage instead of an actual person. They may threaten to destroy critical files or expose sensitive data to the public unless the victim pays a ransom.
While it is much more common for ransomware criminals to target companies, civilians are not immune to their attacks. In fact, Security magazine revealed that remote workers will be targeted more frequently than ever before in 2021.
If your PC is one of the low-hanging fruits hackers have picked, the following tips can help you remove ransomware from it. For starters, you should determine if your PC is actually a victim of a ransomware attack.
Warning signs of ransomware
Ransomware has become stealthier than ever. Most often, you’ll notice you’ve fallen victim to the malware once you start seeing one or more of the following signs:
You know your files have been encrypted when you get a notification from Windows saying you don’t have permission to open your own photos, videos, or documents. It’s a sure sign of ransomware. Unless you’ve backed up your files, you won’t be able to recover them without the decryption key.
Scrambled file contents
Another sign your system has been infected with ransomware is when your file contents are suddenly scrambled for no reason. Only the decryption key can restore them to their original format, and gaining access to it usually requires paying the ransom.
You’re locked out of your computer
Instead of targeting your files or folders, ransomware may prevent you from accessing your device altogether. It locks you out of your computer, leaving instructions on the screen about how to pay the ransom. You may also see a red lock on your screen when you turn it on.
The web browsers have been locked
Ransomware may go after your web browsers. Once your browsers have been infected, you’re likely to get a notice asking for a bitcoin payment to restore access.
How to get rid of ransomware
If the symptoms have been confirmed, and you see that your PC is indeed infected, you need to start learning how to remove ransomware to reclaim your device. Don’t panic, we’ll get through this together. Follow these steps to try and get your files back.
Step 1: Record evidence of the attack
As soon as you notice signs of an attack, start recording evidence. This will be helpful if you decide to file a police report. Without access to the device, you may not be able to take a screenshot, so use your phone to take a picture instead.
Step 2: Immediately disconnect the infected device
Another immediate step you need to take is to disconnect your PC from the internet. This will prevent the ransomware from spreading to other devices in the network. You should also disconnect all the other devices that were connected to the infected PC and check if they’re affected too.
Be thorough and check all your computers, tablets, smartphones, flash drives, external hard drives, shared or unshared network drives, and cloud storage accounts.
Step 3: Create a system backup
If you still have access to your system, one of the first things you should do is create a backup of all the encrypted files. Decryptors, tools that allow decrypting files affected by ransomware, are not always reliable and can damage files during recovery. This is usually the case for certain ransomware strains that have hidden payloads. They end up overwriting or deleting encrypted files after some time. In cases like this, an encrypted backup is better than no backup at all. Salvage what you can.
Step 4: Disable any cleanup or system optimization software
The ransomware that has infected your system may be stored in your Temporary Files folder. And the scheduled runs of your cleanup software could end up deleting it. You may need the ransomware files for diagnostics, so make sure you disable any software that might unintentionally remove them.
Step 5: Identify the type of ransomware
The next step to removing ransomware is figuring out what it is. It’s easier to resolve the issue if you know what you’re dealing with as the procedures for removing certain types of ransomware can differ.
One way to identify the type of ransomware affecting your system is to use Crypto Sheriff from No More Ransom, an initiative by IT Security companies and law enforcement aimed at disrupting cybercriminal businesses. The platform will ask you to send your encrypted files and any type of ransom information the attackers provided. They will then try to identify the ransomware and check if they have available solutions for it.
You can also carry out your own investigation. Use another device to do it or restart your computer and investigate in safe mode.
Forums on Reddit (r/Ransomware), Bleeping Computer, Computer Hope, and Microsoft Community provide people with platforms to seek information about the latest ransomware infections. Scour the comments and look for experiences similar to your own.
Some commenters may suggest ways to get rid of ransomware attacks manually. Be wary about accepting just any advice, as most commenters aren’t cybersecurity experts. In the meantime, focus on identifying the malware. Learning about the different types of ransomware will help you search for the most relevant information.
Scareware may come in the form of pop-up ads for a security tool that’s demanding payment for fixing bogus PC issues. The attackers may also send you very threatening but poorly worded messages asking you to pay the ransom ASAP.
Scareware is the least troublesome of the ransomware strains and can easily be removed using anti-malware software.
You know you’re falling victim to doxxing or doxxing-related ransomware when the attackers are not only holding your files ransom but also blackmailing you with threats of using them. They may send you a message or an email informing you that they have your usernames and passwords, and they will make your sensitive files public if you don’t pay the ransom.
Screen locking ransomware blocks your access to your own device. You may get alerts telling you that you broke the law and will have to pay a fine to regain access to your PC. These alerts are made to look like they come from government institutions, such as the FBI or the US Department of Homeland Security, but are just scams.
Also known as encrypting ransomware, filecoders encrypt your files and the entire hard drive. It’s the most dangerous of all ransomware strains, making up around 90% of attacks.
Cybercriminals usually demand payment for the decryption keys. They commonly set a deadline and threaten to destroy or permanently lock your files if you do not pay up.
Step 4: Remove ransomware
Ransomware can be removed using strong cybersecurity software. The ransomware removal tool must allow a cybersecurity expert to assist you at every step as you get rid of the ransomware. Brace yourself, as it’s not always possible to retrieve all your files.
You may also remove ransomware by manually restoring your system. Almost every device has a System Restore feature that only requires a few clicks to do.
Step 5: Recover your hidden or encrypted files
Now that you’ve removed underlying malware, it’s time to recover your encrypted files. You can try the following options:
Restore your system and files from a backup
Have you been backing up your operating system? If yes, it’s time to reap the rewards of your efforts. As long as the backup files did not get encrypted, you can easily restore them. Just go to your device’s advanced settings and look for the System Restore function. Remember to check the last backup date. You must understand that you won’t be able to recover any files created after that date.
Windows periodically crawls your system and records file changes. You can try to access these shadow copies and restore them. You may also use the File History feature to restore previous file versions. These methods may work for basic filecoder attacks but not in a complicated doxxing scenario where a hacker is holding your personal data hostage.
If you’re lucky, the ransomware has just hidden your files, so you can use these quick and easy fixes for Windows 10, 8.1, and 7 to show them.
Use decryption tools
As mentioned above, you can count on the No More Ransom platform for your decryption needs. They can help you identify the type of ransomware wreaking havoc on your PC. They also have a repository of applications and keys that can decrypt data.
No More Ransom doesn't have decryptors for all types of ransomware. But if they have developed a solution for the specific strain that has infected your computer, they can help you fix the problem.
The following frequently asked questions may help you with your concerns:
How did my PC get infected?
Computer infections usually happen by accident. Here are some ways ransomware penetrates your PC:
- When your PC is connected to an infected network
- When you visit unsafe websites with deceptive or questionable content
- When you download attachments from malicious emails
- When you click on malicious links in instant messages, emails, and social media posts
- When you install pirated software or files
Should I pay the ransom?
While the decision to pay is yours to make, you must keep these considerations in mind. In 2019, CyberEdge Group reported that only 19% of victims who pay ransom actually receive the decryption tool needed to restore their files. Moreover, their ransom payments help fund the development of even more sophisticated ransomware attacks.
How to decrypt files encrypted by ransomware?
You can decrypt the files using platforms like No More Ransom and MalwareHunterTeam. Both tools are free, but they can only help you if they already have the decryptors for the specific ransomware strain you are dealing with.
Another option is to pay the ransom and get the decryption tool from the attackers. But you should avoid this as long as possible and use it as a last resort because … (see the previous section).
Avoid falling victim to ransomware
There’s no easy way of fighting ransomware, so you’d better learn how to prevent ransomware from infiltrating your PC. While it’s difficult to detect every possible source of infection, you can shield your computer using a reliable cybersecurity software solution.
And if you’re worried about your Mac, iOS, or Android devices falling victim to ransomware, give Clario a try. Our all-around protection is exactly what you need when going online. Download it today and live a secure digital life with Clario.