Ransomware stops you from using your PC. It holds your PC or files for “ransom”. This page describes what ransomware is and what it does, and provides advice on how to prevent and recover from ransomware infections.
There are two types of ransomware – lockscreen ransomware and encryption ransomware.
Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.
What does ransomware do?
Ransomware will prevent you from using your PC normally, and will ask you to do something before you can use your PC.
It can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
- Prevent you from accessing Windows.
- Encrypt files so you can’t use them.
- Stop certain apps from running (like your web browser).
Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Frequently asked questions
No. These warnings are fake and have no association with legitimate authorities. The message uses images and logos of legal institutions to make it look authentic.
I don’t recommend that you pay. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.
How to recover your files depends on where your files are stored and what version of Windows you are using.
Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.
For Microsoft Office files stored, synced, or backed up to OneDrive you files are safe as they are stored on the cloud.
For files on your PC
- You need to have turned on File History (in Windows 10 and Windows 8.1) or System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. In some cases, these might have been turned on already by your PC manufacturer or computer IT technician.
- Some ransomware will also encrypt or delete the backup versions of your files. This means that even if you have enabled File History, if you have set the backup location to be a network or local drive your backups might also be encrypted. Backups on a removable drive, or a drive that wasn’t connected when you were infected with the ransomware, might still work.
If you’ve been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tools such as “FireEye” and Fox-IT to help recover them.
You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:
Your IP address is not usually hidden, and there are lots of tools online that will get it for you. It’s likely they used such a tool.
In most instances ransomware is automatically downloaded when you visit a malicious website or a website that’s been hacked.
How do I protect myself?
- Install and use an up-to-date Internet Security Package such as AVG, Trend, Kaspersky, Norton etc.
- Make sure your software is up-to-date.
- Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
- If you use Internet Explorer ensure you have smart screen turned on.
- Have a pop-up blocker running in your web browser.
- Regularly backup your important files.
You can backup your files with a cloud storage service that keeps a history or archive of your files, such as OneDrive which is now fully integrated into Windows 10 and Windows 8.1, and Microsoft Office.
After you’ve removed the ransomware infection from your computer, you can restore previous, unencrypted versions of your Office files using “version history”.
Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.
If you’ve already paid, see the question “What should I do if I’ve paid?” above.
How to remove the ransomware depends on what type it is.
If your web browser is locked
You can try to unlock your browser by using Task Manager to stop the web browser’s process:
- Open Task Manager ctrl + alt + del and end the process.
If your PC is locked
- Method 1: Use the Microsoft Safety Scanner in safe mode
First, download a copy of the Microsoft Safety Scanner from a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.
Try to restart your PC in safe mode:
When you’re in safe mode, try to run the Microsoft Safety Scanner.
- Method 2: Use Windows Defender Offline
Because ransomware can lock you out of your PC, you might not be able to download or run the Microsoft Safety Scanner. If that happens, you will need to use the free tool Windows Defender Offline.
Steps you can take after your PC has been cleaned
Make sure your PC is protected with antimalware software such as Windows Defender which is free and part of Microsoft Security Essentials. I would also install an Internet Security Package such as AVG.
Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
- Visiting unsafe, suspicious, or fake websites – including porn and pirate software websites.
- Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
- Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware. Usually it requires the hard drive to be re-formatted and Windows re-installed.
That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:
- Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
- If you’re ever unsure – don’t click it!
- Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).