How to remove ransomware

by Jake Doevan - - Updated | Type: Ransomware

Ransomware functions as malevolent software (or malware) that blocks victim’s access to the computer and demands to pay the ransom. The ransom and the official reason, why a victim should pay it, depends on the type of the virus.

Some versions claim that the payment should be made to avoid the punishment of the governmental authority (usually, FBI or local agency), others inform that this is the only way to decrypt encrypted data.

These threats may involve stealing user’s sensitive information, terminating legitimate software (anti-virus, anti-spyware, etc.), showing survey warnings and causing other unwanted activities as well.

Types of malware

Depending on the peculiarities of the malware, IT experts classify file-encrypting threats into these categories:

File Encrypting Ransomware. This version is mostly spread with the help of trojans. Once it infiltrates computer, it finds the mostly used files and encrypts them. Traditionally, encrypted files include photos, music files, videos, art, business and other data that is considered important for the victim.

In addition, such virus starts displaying a huge warning message claiming that the only way to decrypt encrypted data is to pay a ransom. In fact, it is right because the most of such malware deletes the shadow copies of files and prevents their recovery.


Non-Encrypting Ransomware. This type blocks the entire PC system and seeks to threaten PC user into paying an invented fine. For that, it presents itself as the warning message of the governmental authority. Typically, hackers use such names as FBI, police, and others.

Once it infects the system, it checks it for illegal files, like the pornographic content or unlicensed program versions on victim's computer. Once they are detected, a virus locks the computer down and starts displaying a huge warning message that looks like it belongs to some governmental authority. In this case, a victim is informed that there are illegal files that were detected after the scan on his/hers computer. In addition, user is asked to pay a fine in order to avoid getting into jail.

Browser-Locking Ransomware. This version does not infect the computer system. It relies on JavaScript that blocks the browser and causes a huge warning message. This fake notification is very similar to the one that is displayed by non-encrypting malware. It mostly claims about the illegal user’s activity on the Internet and asks to pay a ransom for avoiding the jail. Of course, such virus has nothing to do with FBI, Europol and other governmental authority.

Ransomware-as-a-service (RaaS) is one of the main factors why crypto-malware business is booming. If felons, who are interested in earning easy money but lack programming knowledge to create their own, may contact the ransomware developers via the darknet and engage in the distribution campaign.

After gaining access to malware configuration, crooks spread the virus via their networks. In exchange, they often receive 20% of the total revenue. Since the business is conducted in secret servers, RaaS has become a great cyber issue.

Eliminating crypto-malware

Modus operandi of file-encrypting threats

Despite their differences in visual graphic interface or source, their purpose is only one – extort money. In order to do so, the cyber criminals employ different techniques. Here is a short summary how crypto-malware differ from ordinary malware.

  • Ransomware viruses encrypt sensitive user's data, such as business documents, videos, photos and other files.
  • Ransom is demanded in exchange to the encrypted files.
  • Such viruses can delete predetermined documents, multimedia objects or any other files containing important information. They also manifest ability to delete essential system components or important parts of other software.
  • Trojanized versions steal login names, passwords, valuable personal documents, and other confidential information. This data is sent through a background Internet connection to a remote host.
  • Ransomware assault may cause you operating systems system to underperform, more specifically, it may force a system restart or significantly affect its CPU speed.
  • Certain types of this malware category may shut down cyber security-related software.
  • More elaborate samples are able to disguise their activity on an operating system until they finish encrypting users' files.

Although they usually do not self-replicate, such threats can make lots of problems on your computer. They can make your vital information inaccessible. It is highly recommended not to pay ransom, which is asked by this threat because that doesn't help to remove the parasite and restore affected information.

Distribution techniques and methods

The most of ransomware parasites are able to propagate themselves and infect their target PC systems without users' knowledge. They can affect computers running Windows operating system, Mac OS X, Android and other operating systems. There are two major ways how these parasites can get into your computer.

Trojan Horse and other malware. The most of this type of infections are spread with the help of trojans. Trojan.Lockscreen is the most used threat for installing ransomware on the system. They get into the system without user's knowledge as they tend to arrive in files attached to e-mail messages that present themselves as messages from reputable parties, such as Amazon, Ebay, financial institutions, etc. Once a user is tricked into downloading such attachment, the trojan, carrying the ransomware payload, gets activated.

Fake pop-up notifications. Some samples of this malware category are distributed by fake pop-up notifications that can be seen either on illegal or on legitimate websites. Mostly, they are set to report about missing updates but they can also “inform” you about a need to scan the system for free and remove viruses from it. These ads are usually filed with unsuspicious names and legitimate logos, so they can trick even the most experienced PC user into clicking them.

Spam emails. This is the most profitable technique in ransomware distribution. Ironically, if users were more cautious, they could be able to prevent the hijack of most destructive threats. The key principle of this technique lies in wrapping the malware into a .doc or .js file. The notorious crypto-malware Locky is especially known to employ this technique.

By emphasizing the importance of the fake invoice or package delivery attachment, victims are persuaded to extract the attached file. If it is a .doc file, it might ask users to enable macro settings. If they are enabled, the corrupted file downloads the main payload of the malware. Alternatively, cyber criminals counterfeit subpoenas or the email supposedly sent by the FBI. Users should pay attention to the content of such emails. They often contain grammar mistakes and typos, and altered credentials.

Exploit kits. This technique is mostly preferred by developers of more sophisticated threats. Locky and Cerber virus authors are especially keen in using Angler, RIG, and Neutrino exploit kits. While, the former, Angler, was fortunately terminated, Rig and Neutrino continue facilitating the transmission peculiarities of crypto-malware. Their main principle of operation lies in compromising in selected domains. By injecting corrupted scripts, users, visiting such domains, end up being hacked by the very threats. Thus, the only viable way of preventing such cyber assault remains the usage of cyber security tools.

Browser extensions. This is relatively new technique, mainly employed by Spora ransomware developers. They also relied on EiTest script technique, which would compromise a certain web page by injecting a specific script. After netizens visit such domain, the content is transformed into an unreadable collection of numbers and characters and “The HoeflerText font wasn't found” notification appears.

In order to read the content, users had to “update” a specific Chrome font browser add-on. Nonetheless, they only facilitated the hack of the file-encrypting threat. Lately, other fraudsters developed a technique of distributing malware via fake GoogleDocs invitations. Thus, in order to lower the risk of crypto-malware assault, users have to retain vigilance, while downloading new apps, enabling new features and communicating with users via social network.

The biggest ransomware outbreak in history

Cyber criminals have not failed to astonish the virtual community. However, on the eve of May 11th, 2017, the world was yet to witness the unprecedented cyber assault in the entire history of computer viruses. The next day, different public and governmental institutions, as well as private companies, all around the world started reporting their cyber systems to have been taken by ransomware. Its name was WannaCry.

  • infected more than 200 000 devices in 150 countries
  • demanded over 300 dollars in bitcoins 
  • devised on the basis of “EternalBlue” vulnerability
  • targeted older and outdated Windows OS versions
  • possibly created by Chinese hackers

It targeted solely Windows OS systems. World-class companies such as “Hitachi” or German transportation agency “Deutsche Bahn” were affected by the malware. The ransom note was visible on digital information and advertising boards. The outbreak led international IT cyber specialists to join forces in seizing the attack. Interestingly, that WannaCry hackers were able to wreak havoc due to a seemingly minor factor – EternalBlue (CVE-2017-0144) vulnerability.

The story of WannaCry dates several months ago when the gang of cyber crooks known as “ShadowBrokers” stole the hacking tool developed according to this vulnerability. Surprisingly, the merits for creating such tool do not belong to hackers as many may expect, but rather to National Security Agency.

The image illustrating  the attack of WannaCry

With the help of this tool, older versions of Windows which possessed weak transport SMB protocols, fell into the trap set by the malware. Though after the leak was exposed and Microsoft quickly released the patch in March, the scale of WannaCry revealed the high number of outdated system globally.

Nonetheless, the rampage of the malware did not take too long. An IT specialist Marcus Hutchins bought an unregistered domain monitored by the malware developers. Fortunately, he was able to find a “kill switch.” By activating it, the traffic of the malware was finally ceased. While the world was recovering from the attack and estimating losses and scale of damage, the virtual community expected the second wave of the attack.

Since then, affiliated versions, such as WanaCrypt0r, Wana Decryot0r 3.0, made an appearance. Recently, another IT specialist warned netizens as he found a peculiar domain which may be related to the distribution campaign of WannaCry 3.0.

As the virtual community retains focus on this family of viruses, further analysis has presented interesting results. The extracts of the source code of the malware hinted to “Lazarus,” a notorious gang of hackers who are suspected to be working under the protection of the North Korea government. However, other specialists found evidence suggesting that the culprit might have been of Chinese origin.

Speculations over the new series of attacks flickering in the media might indeed provoke the hackers to make a rush and launch the another wave of the attack. Latest versions will, certainly, not include the “kill switch.” On the other hand, every computer virus, despite how powerful it may seem, has a weakness.

Unblocking computer and removing file-encrypting threats

In case of the assault, it is not recommended paying the ransom. There are lots of people who have lost their money in this way. Also, do not believe messages stating that you are dealing with governmental authorities because it's not true.

Usually, such statements are displayed just for exerting psychological pressure on people and persuading them into paying ransoms. Fortunately, numerous antivirus and anti-spyware applications can easily find ransomware files on the system and remove each of them. More information about them can be found in the Software section.

Countering crypto-malware on Windows OS

Ransomware is booming

Despite how elaborate a file-encrypting is, manual termination is never an option. Even if it is just a weak screen locker, opt for an automatic solution. Press Alt+F4 combination of keys and then launch an anti-spyware tool. If, on the way of launching a security tool, you face a series of system errors, perform the below steps. Safe Mode will grant you access to vital functions and then you will be able to eliminate ransomware.

• Reboot computer in Safe Mode and repeat the installation of anti-malware app;
• Reboot computer in Safe Mode with Command Prompt and then install anti-malware program;
• Restore your system settings;
• Disable the affected web browser;
• Use Reimage or Malwarebytes Anti Malware;
• Contact 2spyware customer service through “Ask Us” section;

After the elimination process is finished, you might also install firewall software to complement your anti-virus and anti-spyware tools. The former software proves to be effective in blocking trojans or ransomware which occupy devices by exploiting weak Remote Desktop protocols.

Terminating ransomware on Mac OS

Mac ransomware might become a more frequent phenomenon

Apple users are said to have a certain advantage over Windows OS owners. For a long time, the term “Mac ransomware” only brought a surprised look if not a smile on users faces. However, crypto-malware designed for Mac OS system is no longer a fantasy. Mac OS-based file-encrypting threats target devices in the disguise of rogue applications or corrupted app updates. Indeed, such cases are significantly lower than the number of Windows-based file-encrypting threats.

Therefore, it is crucial to be aware of prevention measures. The same crypto-malware methods apply in terminating the malware on Mac os systems as well. You will find explicit reviews of applications which might be effective in eliminating ransomware on Apple devices. In addition, there are also free tools which solely focus on detecting file-encrypting activities. Having such tool on the device might strengthen the overall immunity of the device.

NoMore ransom project offers solution for ransomware victims

At the end of last year, numerous articles appeared on online media entitling 2016 to be the year of ransomware. With such threats as CryptoLocker, Cerber, Locky rampant online, netizens were entrapped between three options – either pay the ransom and rely on hackers mercy, restore data from backup files (at the best case of scenario) or give up the files.

Fortunately, cyber specialists and international law enforcement forces have worked tirelessly on the project which, later on, was introduced as NoMoreRansom. National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security are credited for this initiative. It helps victims affected by crypto-malware.

At the moment, the domain encompasses a series of decryption tools of most popular file-encrypting threats. However, even if netizens managed to get infected with older samples or less popular threats, they will also find the website highly beneficial. It is regularly updated with the improved decryption tools.

Users, who have ben struck with XData ransomware, might find the tool to decode their files for free. AES-NI, Globe ransomware, TeslaCrypt and HiddenTear victims will also find a solution. With the expanding network of partners, NoMoreRansom keeps also gives prevention tips. The developers note that ransomware education is gaining more importance as mere cautiousness may save from highly troublesome and severe outcomes.

Latest ransomware added to the database

Database of ransomware

June 21, 2018

Pulpy ransomware

Pulpy ransomware is a cyber threat that promises to delete victim's important files within 2 days. More
June 20, 2018

Bomber ransomware

Bomber ransomware — a virus that locks your files and demands to pay the ransom. More
June 19, 2018

Danger ransomware

Danger ransomware — a virus that is related to Scarab crypto-virus family. More
June 18, 2018

QNBQW ransomware

QNBQW  — a ransomware virus that blocks access to your data. More
June 18, 2018

Everbe ransomware

Everbe is a ransomware virus that is now decryptable. Everbe is ransomware that first appeared in March 2018.More
June 15, 2018

DBGer ransomware

DBGer ransomware is a virus that encrypts your data and demands ransom. More
June 15, 2018

RedEye ransomware

RedEye ransomware can destroy files even without gaining any financial benefit for the hacker. More
June 14, 2018

Gw3w ransomware

Gw3w ransomware – one of B2DR virus versions demanding a ransom after files' encryption. More
June 14, 2018

Excuses ransomware

Excuses ransomware — crypto-virus that demands money in exchange for a special key used to decrypt data. More

Information updated: 2017-05-11

Read in other languages

Ransomware removal software
Like us on Facebook