How do I remove ransomware?

Ransomware is often not easy to remove because it blocks you from your system. Restoring from a backup is the easiest recovery option, but I'll look at a few more as well.

//
About a week ago, something shut my computer down and now demands $100 to unlock it. How do I unlock or delete this and use my computer? I use Windows Vista.

What you are experiencing is called ransomware.

Ransomware basically holds your computer, your data, or some part of your machine hostage until you pay them money or do whatever it is they ask of you to do.

Following their instructions, paying the ransom, actually may or may not unlock your computer. The creators of ransomware may just extort money out of you and then do nothing. You’ll still be left with an unusable computer.

There are a couple of different things that I strongly recommend you do.

Restore from your backup

Backing up really is the best thing that you could have done to protect your machine. That way, when the ransomware appeared, you could simply restore your machine to the backup from before this infection happened.

You’d be back in business and you would know not to do whatever it was that allowed that malware to get on your machine in the first place.

No backup? Start with malware removal

Without a backup, you need to revert to more general malware removal techniques. I have an article called “How do I remove malware?” that tells you first to make sure your anti-malware software is up to date and then if it is, run it.

This is a stick up!

In cases where ransomware is involved, you may need to use an offline anti-malware tool, like Windows Defender Offline, because the malware may prevent you from running your anti-malware software. You may need to reboot from a disc designed to run stand-alone anti-malware software.

Have a look at Windows Defender Offline – scan your computer for malware without booting Windows – it’s designed exactly for this kind of scenario.

What happens if these solutions don’t work?

The worst-case scenario is actually pretty bad. If you’ve tried all of these techniques and the ransomware still cannot be removed, you’ll need to do either a repair install or a complete reinstall of Windows itself.

But hopefully, this isn’t the case. Take a look at the “How do I remove malware?” article, which should hopefully take you through steps that will let you avoid that horrific outcome.

And please, consider setting up a backup so you never have to run that risk again.

There are 10 comments:

  1. Ken B Reply

    We have had several clients come to us with ransomware infections. (Usually freaking out, due to the “FBI warning” they were getting.) While the system would refuse to boot to the desktop, even in safe mode, it turns out that the infections were poorly written (no suprise here) and we were able to boot to the desktop if the wi-fi was turned off before powering up. (Most laptops have a physical switch which can turn off wi-fi.) At that point, we were able to use our cleanup tools and remove the infection.

  2. Kip Noxzema Reply

    I noticed you didn’t mention Restore Points but that was the answer for me. I simply restored back to a restore point prior to infection, deleted any restore points after the infection and I was good to go. Sometimes, you have to go with what works.

    • Connie Delaney Reply

      Kip,
      Glad it worked for you. Unfortunately “Restore” isn’t all that reliable. Sometimes is works, sometimes is doesn’t. So we would all be wise to follow Leo’s advice and keep image backups. It’s the only sure-fire protection.

      You might enjoy this article: http://ask-leo.com/why_i_dont_like_system_restore.html

    • Leo Reply

      I rarely mention or recommend restore points because in my experience (and the experiences of people I hear from) they often fail just when you need them most. If it worked, fantastic, but it’s never anything I would rely on. More here: Why I don’t like System Restore

    • Dane Reply

      I had a similar infection. And after booting into safe mode and recovering from a previous restore point, all seemed to work just great. However, I have always been a firm believer in reloading my machine from scratch more or less once a year. Eventually two things held me back – I grew tired of the seemingly endless windows updates and I wasn’t so sure I had all the license information for the software I’ve download through the years. But another leader in tech advice maintains that in most cases, you just can’t be sure if you’ve removed all the infection and that it is best to reload your machine.

      So recently using a second hard drive, I took my time, collected all info and backed up the data using four different methods (a cloned disk image to an alternate disk, Windows image backup, Acronis WD edition image to an external hard drive and finally used Windows Easy Transfer copy my data to an external hard drive.) Some worked much better than others and my machine can’t seem to write a windows rescue disk that actually works (so it’s a good thing I can work around this).

      Anyway, my reloaded machine is much faster and more stable running the original drive, I now have an image of factory install of my machine with windows updated to June 2013 to get things going much faster next time around and before long I’ll clone this new image to the faster WD Green variable speed drive. Or better still, treat myself to a shiny new solid state drive for the OS and APPS!

      You must be careful and methodical, but I still recommend infrequently reloading a machine to be sure your free of riffraff and stragglers. Cheers!

  3. Brian Clark Reply

    I learned a while back that logging on as a limited user, and reserving admin logins to only necessary occassions, is a big help. I’ve been hit a half dozen times by ransomware, but while in limited-user mode. I respond tothis by restarting the computer, loggin in as admin, then deleting the affected user account (including all files) and recreating it, gets rid of the problem. I also make a point to save my Favorites from the affected account so I can copy them back when the newly-created account is up and running. Total time to fix: ~10-15 minutes.

  4. snert Reply

    I’m only on the internet with Sandboxie and I got hit twice with that crap. I just log out, no problem. Sandboxie is free, it’s easy to setup and it works.

    • johnpro2 Reply

      good advice from Snert …I have never been infected permanently when using Sandboxie. All the bad stuff is deleted when the browser is closed or as an option held in a special folder which is periodically deleted.
      I am somewhat of a reckless web surfer, but who cares ?
      Saving outside the Sandbox is somewhat of a judgement call but if you don’t save{recover} you are very safe indeed.
      Jp

  5. Art Bracher Reply

    Many thanks for your information on ransomware. A friend called me last Thursday evening and told me her computer was being held for ransom. It was late, but I went to your website and found an article that looked good. I printed it and read it next morning (Friday).

    In the cold light of dawn I realized that it was not quite what I wanted, but had links to other articles that sounded promising; back to the website. I browsed through several articles and zeroed in on one that recommended Windows Defender Offline. I downloaded WDO-64 and called on the friend. The computer was clean before I had drunk the cup of tea she made. Thanks very much. Art

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.