How to remove ransomware the right way: A step-by-step guide

How to remove ransomware the right way: A step-by-step guide

Over the course of 2016, ransomware quickly became the Number 1 threat to home and business users alike. In 2017, already we are seeing more sophisticated variants using slick presentation and payment portals akin to modern start-ups, but the result is always the same: the victims find themselves unable to access files and a ransom note with a countdown to pay.

Time to panic? Don’t!

Because this is usually immediately following the ransomware attack when most home users and even large enterprizes take the wrong steps and make it much harder for us to help you get your files back. For this reason, we’ve created this step-by-step article to guide you through the process of what to do when you’ve been infected by ransomware.

So what exactly is ransomware?

Ransomware is a type of malicious software that locks up your files and demands a ransom to access them. This form of malware is now the most lucrative form of cyber crime as victims feel threatened to pay, even if there are no guarantees of getting the data back.

Should I pay the ransom?

Before we move on, here is one piece of advice: Don’t pay the ransom. Paying the criminals only encourages further attacks.

We understand that, particularly for larger enterprizes, paying up seems like the best option to recover files and avoid the potential embarrassment of admitting a security breach or inadequate IT security measures. Yet, in many cases, even after paying large sums of money users still don’t receive their files.

We’re here to help. No strings attached.

Emsisoft are proud associate partners of No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two additional cyber security companies. Our shared goal is to help victims of ransomware retrieve their encrypted data without having to pay.

Emsisoft fight’s ransomware on the front-line daily, which means we are best positioned to offer you free, easy to follow advice with no strings attached. So let’s begin.

I’ve been infected with ransomware! What should I do?

Here is a word from our Chief Technology Officer and Head of the Emsisoft Malware Research Lab, Fabian Wosar:

“Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts, which are usually correct when dealing with malware infections, can make things worse when dealing with ransomware.”

So, take a breath and follow these steps:

1. Create an image or backup of the system

Some ransomware strains have hidden payloads that will delete and overwrite all encrypted files after a certain amount of time has passed. Decrypters may not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In these cases, we have found that an encrypted backup is better than having no backup at all. So first of all, we urge you:

Create a backup now of all of your encrypted files before doing anything else. Read: detailed advice on how backups prevent ransomware.

2. Disable any system optimization and cleanup software

A lot of ransomware strains store themselves, and other necessary files, in your Temporary Files folder. If you use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, you need to disable these tools immediately.

Important: Make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or other necessary ransomware files from your system. We will require these later to determine which type of ransomware you have been infected with.

3. Quarantine, but don’t delete!

Your anti-malware solution may have already quarantined the infected file. That’s ok! But, do not delete any files. To figure out what exactly the ransomware has done to your computer, we will require the ransomware to be executable.

Note: It is fine to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a complete backup.

To identify a strain of ransomware and offer a decrypter, we will need access to the malicious file. Additionally, it can be helpful to see a sample encrypted file (ideally nothing sensitive, such as a system icon or similar) to identify exactly which encryption method was used and if any identifiable features match known strains of ransomware.

4. Server victims: identify the point of entry and close it

Recently, we have seen a lot of compromises of servers. Ransomware accesses the server by brute-force. User passwords are rapidly fired at the server via Remote Desktop Protocol (RDP).

We firmly suggest you check your event logs for a large number of login attempts fired in quick succession.

If you find such entries or if you find your event log to be completely empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port.

Important: check all the user accounts on the server to make sure the attackers didn’t create any backdoor accounts that would allow them to access the system later. We’ve got more information and tips on how businesses can protect against RDP attacks.

5. Identify the type of ransomware

If your system is infected, but you don’t know what type of ransomware you have been infected with, MalwareHunterTeam has your back. They host ID Ransomware, which is a free service that checks specific signatures of the code to determine which strain is responsible for your loss of data. Once you know which strain of ransomware you are dealing with, it is much easier to see if a suitable decrypter is available.

Note: If you would like to learn more about how security researchers identify ransomware, see this interview with security researcher Michael Gillespie on the Emsisoft Blog.

Services like VirusTotal also allow you to scan malicious files for signatures. These services are incredibly useful, and if you contact Emsisoft for support, we will probably ask you for the results of either of these services. By providing them right away, you can speed up the process of getting back your files!

5.1 Decrypter available? Use it!

Once you know which type of ransomware you have been infected with, check for the decrypter you require. We work tirelessly to ensure the most up to date decrypters are listed here. However, please be aware that there is no guarantee that the decrypter you require will be available. Ransomware gets better every day and more sophisticated all the time.
If you have the decrypter you require, follow the instructions provided on the download page to execute the program. Be sure to let us know that it worked! Tell us your story here.

5.2 No decrypter available? Help us!

To crack new strains of ransomware, our lab needs to be made aware of them as soon as possible.
Contact us on the forum and let us know that you have been infected. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers of Emsisoft. Alternatively, you can also reach us here by email. In both cases, please include the malicious file with email or the VT link of the file, the IDRansomware result URL and a file pair consisting of an encrypted file and the original version. You can find an original version of a file using windows default pictures, files you have downloaded or files from programs you have installed.
If this is your first time on our forums and you are struggling with any of the steps, feel free to refer to this forum post for instructions on how to post and FAQs.
As you can see, there are many practical steps you can take to block or limit the impact of ransomware on your data. So, don’t panic! Emsisoft will be by your side throughout the process.

Have a great (ransomware-free) day!


  • JoMo

    Great info…thanks Emsisoft…

  • Mosquito

    BIG thank you for the people who’re working hard at Emsisoft.

  • Thomas Runge-Jessen


  • Charles HARDY

    I’m sixty six. This is all too difficult for the likes of me!

    If infected by ransom ware, my fix has been to log off. Log in again, clean the system with Reg Organiser and continue on. It has worked so far and maybe because Emsisoft has protected me from worse problems?

    If I should be doing anything else to clear out any residual problems, please email me.

    With thanks, I remain,

    C. R. (Rick) HARDY

  • cat1092

    I believe the advise in Step #1 is the key, to create full disk backups not only as a backup or maintenance plan, these days, as a security measure. Keeping important data off of the OS drive is also key, move to an external as soon as created & then detach the drive.

    The OS is reinstallable as well as any software, precious & valuable files cannot be as easily reloaded, therefore the need to create full disk images often & make this a part of one’s security plan. It’s also best to keep at least the first & last three backup images, with today’s all time lows in 1 & even 2TB externals, no need to worry about space, these are compacted images, not a 1:1 clone of the drive. Example, using Macrium Reflect, one can create a backup image of a 120GB SSD that uses less than 30GB of drive space (assuming 75% full, the max any SSD should be holding).

    I’ve seen backups save many folks memories, and in today’s world, we’ve got to get past the backup rate that’s still somewhere around the turn of the Millennium, as a percentage of users. Yes, many has a backup drive, yet how many uses these? I recommend Macrium Reflect free for those who cannot afford to pay for the software, some also uses EaseUS Todo, another popular choice. Either can also be used for cloning drives, and offers WinPE Media to backup outside of the Windows environment, as well as restore. Macrium also under ‘Other Tasks’ has an option to add the software to the boot menu, where one can boot straight into the software, it gets no faster nor easier.

    And keep a known active anti malware software installed, Emsisoft Anti Malware is my choice, and has a dual scanning engine, to catch what some others misses. Give it a 30 day free trial w/out any obligation to purchase, chances are, one will love the software, everything is so easy to setup, and if one wants to perform a deep scan at bedtime, that’s OK, just select to shutdown after scanning & quarantining Malware & other threats.



    sounds like a tonnage of work to get rid of what some ass**** shouldn’t have dumped on the www in the first place.why r some folks such as******??? i dont get the angst bit.

  • Evan Bagner

    Keep getting a warning from “Microsoft” to contact them as my computer is undafe and sending my credit card info. Call a 1 800 #

    • abd

      don’t call that’s just a very common scam don’t worry. also is it on the internet then definitely don’t call. ask me if you need more information.

      Hope this helped.

      • Evan Bagner

        Do you know how to get rid of it?

        • abd

          Is it on any search browser? if no where does it usually pop, when your on your desktop? and tell me anything else about it

    • Alexander Collins

      Hi, Microsoft will NOT telephone you at any time you are just a number to their system and the phone numbers contacts etc. not in their system,

      This cannot and will not happen the callers are a SCAM. they only want you to give them your bank details.

      The callers often pretend to be support engineers, they are NOT do not give them any details.

      Tell them nothing absolutely nothing other than not to call you back and hank up,

      if they repeat call get an answering machine that will soon stop them.
      Alexander Collins 67 years young..

    • cat1092

      Your computer may be infected, I recommend that at a minimum, you download & run a Full scan with the Emsisoft Emergency Kit ASAP.

      As a 2nd option that may find more, you can always give Emsisoft Anti Malware or Internet Security a 30 day, no risk Trial w/out providing any financial data. If you like the software, as many subscribers does, Emsisoft is always offering promos (such as ‘3 for 1’ deals), though not to worry, one is not nagged daily. Yet if there’s 2-3 computers in the home (average is 2-3 for a couple), it’s a great deal.

      Note that I’m not a paid salesman for Emsisoft, nor do I even use the link to give me extra days at the end of the subscription, though that’s a benefit also.

      If nothing else, download EEK as noted at the top and cleanse your computer. There’s a reason why you’re getting these ‘fake’ notices. The only time that Microsoft will contact a customer is if a subscriber of Store Apps & maybe the current payment data needs to be updated, however that will be delivered by email and/or text message with one’s cell number on file. They’ll never ask to call saying your computer is ‘unsafe’, it’s a scam to get your money for nothing & will only lead to other scam calls/messages.

      I also recommend that you reboot both your modem & router by unplugging each for a minute (modem first). This ‘flushes’ all data within each that lingers, some of which may be leftovers of these messages. I do it monthly to keep up my Internet speed.

      Good Luck with cleaning up your computer & don’t give in to scammers!


  • Abdelraheem Aldaby

    id-46FAC392.[[email protected]].wallet
    this is the new extension of my pdf files, so am asking how can i open it again and recover it

    many thanks