How to remove ransomware virus

Ransomware is a virus, which encrypts the files on user’s PC and demands ransom for their repair. There are many types of ransomware, but we will tell you about the most dangerous one – the encrypting virus. Here are the most well-known examples of ransomware nowadays: Locky, CTB-Locker, RSA-4096. All known ransomware use the same encryption algorithms that are used for a long time in various fields, and have proven themselves to be extremely reliable. These are RSA and AES standards with different key complexity. In fact, it’s not possible to decrypt files encrypted with these algorithms if you don’t have a key.


Ransomware Example


Ransomware considered the most dangerous because its removal does not solve problems. You can remove the virus from your computer, but the files will remain encrypted, and you, in addition, will lose the ability to restore them by paying a ransom. During the time of their work, the viruses of this type have brought their creators millions of dollars, and they continue to make more and more money every day. The success of these viruses is based on the fact that every computer user stores the information that is important to him. It can be photos with family, a book, a graduate work or any other intellectual property. Too many people are willing to pay the fraudsters to recover their data without even trying to understand what is happening. Do not worry, and learn about all methods to solve this problem, which are published in this article.

How ransomware virus works

Ransomware enters the user's computer in the same ways that other viruses do. It may be the viral e-mail, the installation in bundles with free software, download from the infected web site and so on. However, the first differences become apparent after the installation of ransomware. Conventional viruses and adware are beginning to act openly immediately after installation. You get spam, your browser is out of control, and does not want to perform basic functions, and the computer makes critical errors. Naturally, you will notice the virus and begin to deal with it. Ransomware acts differently. Once the installation is complete, it searches for files with popular extensions containing text information or images, and begins to encrypt them. In most cases, this information does not cost anything, but if you work at home, the damage caused by the loss of the files will be huge.

File encryption process takes several hours. Of course, if you have terabytes of photos and 500 GB of text on your hard drive - the virus will have to sweat, but in any case, the process takes no more than 1-2 days. During the process, you may notice some decrease in efficiency of the system, slow response of programs and other inconveniences. The more powerful is your computer, the less noticeable are the symptoms. If you notice something like that - you should immediately check the task manager and stop all suspicious processes (processes with unknown publishers or without description). In most cases, the virus passes the encryption step, and when all the files are changed - displays a message with the ransom and basic instructions. Each virus displays different message, but in general they all are similar: “Pay us or lose your data”. Here are some examples of typical messages from ransomware:


Lcoky ransomware


CTB Locker virus


RSA-4096 ransomware


As you can see, the fraudsters are not limited to the impact of using information technologies, they also use psychology, to startle their victims, and make them pay as soon as possible. All messages say things that you already know. Files can’t be decrypted, you have to pay the money, blah-blah-blah. Do not be afraid to act independently, and pay the ransom only if all other methods have failed.

Ransomware removal instruction

Brief removal steps

Step 1. Boot the system in the safe mode

Step 2. Show all hidden files and folders

Step 3. Clean hosts file

Step 4. Remove virus files

Step 5. Clean registry

Step 6. Clean startup folder

Step 7. Boot system in normal mode


In any case, regardless of whether you pay or not - you have to remove the virus. But if you are going to pay – do it only after the restoration of files, and if you decide to handle on their own - then proceed to remove now. As in the case of any other virus, removal can be carried out both manually and by means of special software. We advise you to make manual removal only if you are firmly convinced that you won’t do a mistake. Just follow the instructions below, and you’ll get rid of the virus very soon.

If you prefer a long-term protection, and want to have the assurance that no virus will be able to harm you - it is better to use a reliable and effective anti-virus.



Step 1. Boot the system in the safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

Alternative way how to boot computer in the safe mode:


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drivers

Show hidden files. Step 3


  • Press Ok


Step 3. Clean hosts file

  • Click Start
  • Type %windir%/system32/Drivers/etc/hosts 



  • Open file with Notepad




  • This file must not contain any IP-addresses below the word “localhost”


Clean hosts file


Step 4. Remove virus files

Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%

Step 5. Clean registry

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup folder: HKLM\Software\Microsoft\Windows\Current version\Run

Step 6. Clean startup folder

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Startup tab
  • Uncheck suspicious programs


Startup folder

Step 7. Boot system in normal mode

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Deselect Safe boot and press Ok


 You can restore your files after virus removal,. Information about restoration methods in the article "How to restore encrypted data".



Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [5 Votes]


0 #5 where is start butto 2017-07-24 16:46
where is star button
0 #4 Soniya 2017-05-15 03:53
How to restore my all file, i don't have back up, facing problem of ransomware virus
0 #3 John 2016-12-01 08:08
Quoting soumya:
I deleted the files as above but how do i ensure that the virus has been removed?

You can ensure this only by scanning the system with decent anti-malware tool
-1 #2 Abhijit 2016-09-25 17:31
`how to restore cerber infected file.
+1 #1 soumya 2016-09-22 20:46
I deleted the files as above but how do i ensure that the virus has been removed?

You have no rights to post comments



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience