Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Do I Remove Ransomware?

Question: About a week ago, something shut my computer down and now demands $100 to unlock it. How do I unlock or delete this and use my computer? I use Windows Vista.

What you are experiencing is called ransomware.

Ransomware basically holds your computer, your data, or some part of your machine hostage until you pay them money or do whatever it is they ask of you to do.

Following their instructions, paying the ransom, actually may or may not unlock your computer. The creators of ransomware may just extort money out of you and then do nothing. You’ll still be left with an unusable computer.

There are a couple of different things that I strongly recommend you do.

Become a Patron of Ask Leo! and go ad-free!

Restore from your backup

Backing up really is the best thing that you could have done to protect your machine. That way, when the ransomware appeared, you could have simply restored your machine to the backup from before this infection happened.

You'd be back in business and you would know not to do whatever it was that allowed that malware to get on your machine in the first place.

No backup? Start with malware removal

Without a backup, you need to revert to more general malware removal techniques. I have an article called “How do I remove malware?” that tells you first to make sure your anti-malware software is up to date and then if it is, run it.

This is a stick up!

In cases where ransomware is involved, you may need to use an offline anti-malware tool, like Windows Defender Offline, because the malware may prevent you from running your anti-malware software. You may need to reboot from a disc designed to run stand-alone anti-malware software.

Have a look at Windows Defender Offline - scan your computer for malware without booting Windows - It's designed exactly for this kind of scenario.

What happens if these solutions don't work?

The worst-case scenario is actually pretty bad. If you’ve tried all of these techniques and the ransomware still cannot be removed, you'll need to do either a repair install or a complete reinstall of Windows itself.

But hopefully, this isn't the case. Take a look at the “How do I remove malware?” article, which should hopefully take you through steps that will let you avoid that horrific outcome.

And please, consider setting up a backup so you never have to run that risk again.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

19 comments on “How Do I Remove Ransomware?”

  1. We have had several clients come to us with ransomware infections. (Usually freaking out, due to the “FBI warning” they were getting.) While the system would refuse to boot to the desktop, even in safe mode, it turns out that the infections were poorly written (no suprise here) and we were able to boot to the desktop if the wi-fi was turned off before powering up. (Most laptops have a physical switch which can turn off wi-fi.) At that point, we were able to use our cleanup tools and remove the infection.

    Reply
  2. I noticed you didn’t mention Restore Points but that was the answer for me. I simply restored back to a restore point prior to infection, deleted any restore points after the infection and I was good to go. Sometimes, you have to go with what works.

    Reply
    • I had a similar infection. And after booting into safe mode and recovering from a previous restore point, all seemed to work just great. However, I have always been a firm believer in reloading my machine from scratch more or less once a year. Eventually two things held me back – I grew tired of the seemingly endless windows updates and I wasn’t so sure I had all the license information for the software I’ve download through the years. But another leader in tech advice maintains that in most cases, you just can’t be sure if you’ve removed all the infection and that it is best to reload your machine.

      So recently using a second hard drive, I took my time, collected all info and backed up the data using four different methods (a cloned disk image to an alternate disk, Windows image backup, Acronis WD edition image to an external hard drive and finally used Windows Easy Transfer copy my data to an external hard drive.) Some worked much better than others and my machine can’t seem to write a windows rescue disk that actually works (so it’s a good thing I can work around this).

      Anyway, my reloaded machine is much faster and more stable running the original drive, I now have an image of factory install of my machine with windows updated to June 2013 to get things going much faster next time around and before long I’ll clone this new image to the faster WD Green variable speed drive. Or better still, treat myself to a shiny new solid state drive for the OS and APPS!

      You must be careful and methodical, but I still recommend infrequently reloading a machine to be sure your free of riffraff and stragglers. Cheers!

      Reply
  3. I learned a while back that logging on as a limited user, and reserving admin logins to only necessary occassions, is a big help. I’ve been hit a half dozen times by ransomware, but while in limited-user mode. I respond tothis by restarting the computer, loggin in as admin, then deleting the affected user account (including all files) and recreating it, gets rid of the problem. I also make a point to save my Favorites from the affected account so I can copy them back when the newly-created account is up and running. Total time to fix: ~10-15 minutes.

    Reply
  4. I’m only on the internet with Sandboxie and I got hit twice with that crap. I just log out, no problem. Sandboxie is free, it’s easy to setup and it works.

    Reply
    • good advice from Snert …I have never been infected permanently when using Sandboxie. All the bad stuff is deleted when the browser is closed or as an option held in a special folder which is periodically deleted.
      I am somewhat of a reckless web surfer, but who cares ?
      Saving outside the Sandbox is somewhat of a judgement call but if you don’t save{recover} you are very safe indeed.
      Jp

      Reply
  5. Many thanks for your information on ransomware. A friend called me last Thursday evening and told me her computer was being held for ransom. It was late, but I went to your website and found an article that looked good. I printed it and read it next morning (Friday).

    In the cold light of dawn I realized that it was not quite what I wanted, but had links to other articles that sounded promising; back to the website. I browsed through several articles and zeroed in on one that recommended Windows Defender Offline. I downloaded WDO-64 and called on the friend. The computer was clean before I had drunk the cup of tea she made. Thanks very much. Art

    Reply
  6. The fastest way I usually remove some of these is to remove the hdd and scan it on a good computer- hopefully removing the offending malware. If that doesn’t work I rebuild the computer. But it does work In a lot of cases.

    Reply
    • Your solution would remove the malware, but once that malware has done its dirty work, all of your data would still be encrypted. Back up, and then back up your backups is the only sure fire solution. In this case prevention isn’t only better than fixing the problem. It’s the only way. Ransomware can’t be fixed without a backup..

      Reply
  7. I have been Hit with Ransomware Several times, Once an FBI Warning, Explaining that One shoud go to WALKMART, get a MONEYGRAM and Send it……, I Restarted the Computer Each and Every time this has happend, And The Computer WORKED fine After restart. DO NOT CLICK ON ANYTHING, Just RESTART. Several Times I have done this. Hope it helps

    Reply
  8. Hit by cerber ransomeware yesterday on my win.10
    Tried restoring, reseting, malvarebytes, some antimalvers and windows defender offline, but none is able to help.
    What next ?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.