How to remove ransomware the right way: A step-by-step guide

  • February 16, 2017
  • 6 min read

Over the course of 2016, ransomware quickly became the Number 1 threat to home and business users alike. In 2017, already we are seeing more sophisticated variants using slick presentation and payment portals akin to modern start-ups, but the result is always the same: the victims find themselves unable to access files and a ransom note with a countdown to pay.

Time to panic? Don’t!

Because this is usually immediately following the ransomware attack when most home users and even large enterprises take the wrong steps and make it much harder for us to help you get your files back. For this reason, we’ve created this step-by-step article to guide you through the process of what to do when you’ve been infected by ransomware.

So what exactly is ransomware?

Ransomware is a type of malicious software that locks up your files and demands a ransom to access them. This form of malware is now the most lucrative form of cyber crime as victims feel threatened to pay, even if there are no guarantees of getting the data back.

Should I pay the ransom?

Before we move on, here is one piece of advice: Don’t pay the ransom. Paying the criminals only encourages further attacks.

We understand that, particularly for larger enterprises, paying up seems like the best option to recover files and avoid the potential embarrassment of admitting a security breach or inadequate IT security measures. Yet, in many cases, even after paying large sums of money users still don’t receive their files.

We’re here to help. No strings attached.

Emsisoft are proud associate partners of No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two additional cyber security companies. Our shared goal is to help victims of ransomware retrieve their encrypted data without having to pay.

Emsisoft fight’s ransomware on the front-line daily, which means we are best positioned to offer you free, easy to follow advice with no strings attached. So let’s begin.

I’ve been infected with ransomware! What should I do?

Here is a word from our Chief Technology Officer and Head of the Emsisoft Malware Research Lab, Fabian Wosar:

“Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts, which are usually correct when dealing with malware infections, can make things worse when dealing with ransomware.”

So, take a breath and follow these steps:

1. Create an image or backup of the system

Some ransomware strains have hidden payloads that will delete and overwrite all encrypted files after a certain amount of time has passed. Decrypters may not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In these cases, we have found that an encrypted backup is better than having no backup at all. So first of all, we urge you:

Create a backup now of all of your encrypted files before doing anything else. Read: detailed advice on how backups prevent ransomware.

2. Disable any system optimisation and cleanup software

A lot of ransomware strains store themselves, and other necessary files, in your Temporary Files folder. If you use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, you need to disable these tools immediately.

Important: Make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or other necessary ransomware files from your system. We will require these later to determine which type of ransomware you have been infected with.

3. Quarantine, but don’t delete!

Your anti-malware solution may have already quarantined the infected file. That’s ok! But, do not delete any files. To figure out what exactly the ransomware has done to your computer, we will require the ransomware to be executable.

Note: It is fine to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a complete backup.

To identify a strain of ransomware and offer a decrypter, we will need access to the malicious file. Additionally, it can be helpful to see a sample encrypted file (ideally nothing sensitive, such as a system icon or similar) to identify exactly which encryption method was used and if any identifiable features match known strains of ransomware.

4. Server victims: identify the point of entry and close it

Recently, we have seen a lot of compromises of servers. Ransomware accesses the server by brute-force. User passwords are rapidly fired at the server via Remote Desktop Protocol (RDP).

We firmly suggest you check your event logs for a large number of login attempts fired in quick succession.

If you find such entries or if you find your event log to be completely empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port.

Important: check all the user accounts on the server to make sure the attackers didn’t create any backdoor accounts that would allow them to access the system later.

5. Identify the type of ransomware

If your system is infected, but you don’t know what type of ransomware you have been infected with, MalwareHunterTeam has your back. They host ID Ransomware, which is a free service that checks specific signatures of the code to determine which strain is responsible for your loss of data. Once you know which strain of ransomware you are dealing with, it is much easier to see if a suitable decrypter is available.

Note: If you would like to learn more about how security researchers identify ransomware, see this interview with security researcher Michael Gillespie on the Emsisoft Blog.

Services like VirusTotal also allow you to scan malicious files for signatures. These services are incredibly useful, and if you contact Emsisoft for support, we will probably ask you for the results of either of these services. By providing them right away, you can speed up the process of getting back your files!

5.1 Decrypter available? Use it!

Once you know which type of ransomware you have been infected with, check for the decrypter you require. We work tirelessly to ensure the most up to date decrypters are listed here. However, please be aware that there is no guarantee that the decrypter you require will be available. Ransomware gets better every day and more sophisticated all the time.
If you have the decrypter you require, follow the instructions provided on the download page to execute the program. Be sure to let us know that it worked! Tell us your story here.

5.2 No decrypter available? Help us!

To crack new strains of ransomware, our lab needs to be made aware of them as soon as possible.
Contact us on the forum and let us know that you have been infected. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers of Emsisoft. Alternatively, you can also reach us here by email . In both cases, please include the malicious file with email or the VT link of the file, the IDRansomware result URL and a file pair consisting of an encrypted file and the original version. You can find an original version of a file using windows default pictures, files you have downloaded or files from programs you have installed.
If this is your first time on our forums and you are struggling with any of the steps, feel free to refer to this forum post for instructions on how to post and FAQs.
As you can see, there are many practical steps you can take to block or limit the impact of ransomware on your data. So, don’t panic! Emsisoft will be by your side throughout the process.

Have a great (ransomware-free) day!



Freelance writer and security enthusiast based in Wellington, New Zealand.

What to read next

Reader Comments