How to remove ransomware the right way: A step-by-step guide (Updated for 2019)

  • February 16, 2017
  • 6 min read
How to remove ransomware

Ransomware is the number one malware threat to home and business users alike. We’ve seen sophisticated variants using slick presentations and payment portals akin to modern start-ups and recently a variant disguised as a wiper. Regardless of the variant, all ransomware infections have two things in common: locked files and a ransom payment demand.

So we’ve created this step-by-step article to guide you through the process of what to do should you be infected by ransomware.

Galacticypter GUI

Galacticypter GUI Courtesy of MalwareHunterTeam

So what exactly is ransomware?

Ransomware is a type of malicious software that locks up your files and demands a ransom to access them. This form of malware is now the most lucrative form of cybercrime as victims feel threatened to pay, even if there are no guarantees of getting the data back.

Should I pay the ransom?

It depends. Paying ransom should be considered a last resort. You have several options, depending on your situation, type of ransomware attack, etc.

Particularly for larger enterprises, paying up immediately seems like the best option to recover files and avoid the potential embarrassment of admitting a security breach or inadequate IT security measures. Yet, in many cases, even after paying large sums of money users still don’t receive their files. It’s best to weigh in all your options first before deciding to pay the ransom.

We’re here to help. No strings attached.

Emsisoft is a proud associate partner of No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and other cybersecurity companies. Our shared goal is to help victims of ransomware retrieve their encrypted data without having to pay.

Emsisoft fights ransomware on the front-line daily, which means we are best positioned to offer you free, easy to follow advice with no strings attached. So let’s begin.

I’ve been infected with ransomware! What should I do?

Here is a word from our Chief Technology Officer and Head of the Emsisoft Malware Research Lab, Fabian Wosar:

“Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts, which are usually correct when dealing with malware infections, can make things worse when dealing with ransomware.”

So, take a breath and follow these steps:

1. Create an image or backup of the system

Some ransomware strains have hidden payloads that will delete and overwrite all encrypted files after a certain amount of time has passed. decryptors may not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In these cases, we have found that an encrypted backup is better than having no backup at all.

Action: This is an important first step – create a backup of all of your encrypted files before doing anything else.

Additional resource: Detailed advice on how backups prevent ransomware.

2. Disable any system optimization and cleanup software

A lot of ransomware strains store themselves, and other necessary files, in your Temporary Files folder. If you use system cleanup or optimization tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, you need to disable these tools immediately.

Action: Check to make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or other necessary ransomware files from your system. We will require these later to determine which type of ransomware you have been infected with.

3. Quarantine, but don’t delete!

Your anti-malware solution may have already quarantined the infected file. That’s ok! But, do not delete any files. To figure out what exactly the ransomware has done to your computer, we will require the ransomware to be executable.

Note: It is fine to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a complete backup.

To identify a strain of ransomware, we will need access to the malicious file. Additionally, it can be helpful to see a sample encrypted file (ideally nothing sensitive, such as a system icon or similar) to identify exactly which encryption method was used and if any identifiable features match known strains of ransomware.

Note for server victims: identify the point of entry and close it

Recently, we have seen many cases of compromised servers. Ransomware accesses the server by brute-force. User passwords are rapidly fired at the server via Remote Desktop Protocol (RDP).

We firmly suggest you check your event logs for a large number of login attempts fired in quick succession.
If you find such entries or if you find your event log to be completely empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port.

Action: check all the user accounts on the server to make sure the attackers didn’t create any backdoor accounts that would allow them to access the system later.

4. Identify the type of ransomware and check decryptor availability

If your system is infected, but don’t know what type of ransomware you have been infected with, visit the Emsisoft Decryption Tools page to identify the ransomware strain and check if a decryptor is available.

Action: Go to the Emsisoft Ransomware Decryption Tools page to identify the ransomware strain and check decryptor availability.

Additional resource: If you would like to learn more about how security researchers identify ransomware, see this interview with security researcher Michael Gillespie.

4.1 Decryptor available? Go ahead!

Once you know which type of ransomware you have been infected with and a decryptor is available, go ahead and start unlocking your files.

We work tirelessly to ensure the most up-to-date decrypters are listed here. However, please be aware that there is no guarantee that the decryptor you require will be available. Ransomware evolves and more variants are added every day.

If you have the decryptor you require, follow the instructions provided on the download page to execute the program. Be sure to let us know that it worked! Tell us your story here.

4.2 No decryptor available? Help us!

To crack new strains of ransomware, our lab needs to be made aware of them as soon as possible.
Contact us and let us know that you have been infected. Our decryptors come with no-strings-attached and are free for both customers and non-customers of Emsisoft. Our Support Team will provide instructions on what files you need to provide. It usually includes:

5.3 Need professional help for your organization? Contact us!

When decryptors don’t work or if you’ve already paid the ransom but the ransomware author didn’t hold his end of the bargain, you also have the option of commissioning the development of a custom decryptor key. This is a paid professional service offered by our team (headed by world-renowned malware researchers Fabian Wosar and Michael Gillespie) and trusted partners. Contact us today to get additional information.

As you can see, there are many practical steps you can take to limit the impact of ransomware on your data. So, don’t panic! Emsisoft will be by your side throughout the process.

Have a great (ransomware-free) day!

Haylee

Haylee

Freelance writer and security enthusiast based in Wellington, New Zealand.

What to read next

Reader Comments