How to remove ransomware virus

Ransomware is a virus, which encrypts the files on user’s PC and demands ransom for their repair. There are many types of ransomware, but we will tell you about the most dangerous one – the encrypting virus. Here are the most well-known examples of ransomware nowadays: Locky, CTB-Locker, RSA-4096. All known ransomware use the same encryption algorithms that are used for a long time in various fields, and have proven themselves to be extremely reliable. These are RSA and AES standards with different key complexity. In fact, it’s not possible to decrypt files encrypted with these algorithms if you don’t have a key.

 

Ransomware Example

 

Ransomware considered the most dangerous because its removal does not solve problems. You can remove the virus from your computer, but the files will remain encrypted, and you, in addition, will lose the ability to restore them by paying a ransom. During the time of their work, the viruses of this type have brought their creators millions of dollars, and they continue to make more and more money every day. The success of these viruses is based on the fact that every computer user stores the information that is important to him. It can be photos with family, a book, a graduate work or any other intellectual property. Too many people are willing to pay the fraudsters to recover their data without even trying to understand what is happening. Do not worry, and learn about all methods to solve this problem, which are published in this article.

How ransomware virus works

Ransomware enters the user's computer in the same ways that other viruses do. It may be the viral e-mail, the installation in bundles with free software, download from the infected web site and so on. However, the first differences become apparent after the installation of ransomware. Conventional viruses and adware are beginning to act openly immediately after installation. You get spam, your browser is out of control, and does not want to perform basic functions, and the computer makes critical errors. Naturally, you will notice the virus and begin to deal with it. Ransomware acts differently. Once the installation is complete, it searches for files with popular extensions containing text information or images, and begins to encrypt them. In most cases, this information does not cost anything, but if you work at home, the damage caused by the loss of the files will be huge.

File encryption process takes several hours. Of course, if you have terabytes of photos and 500 GB of text on your hard drive - the virus will have to sweat, but in any case, the process takes no more than 1-2 days. During the process, you may notice some decrease in efficiency of the system, slow response of programs and other inconveniences. The more powerful is your computer, the less noticeable are the symptoms. If you notice something like that - you should immediately check the task manager and stop all suspicious processes (processes with unknown publishers or without description). In most cases, the virus passes the encryption step, and when all the files are changed - displays a message with the ransom and basic instructions. Each virus displays different message, but in general they all are similar: “Pay us or lose your data”. Here are some examples of typical messages from ransomware:

 

Lcoky ransomware

 

CTB Locker virus

 

RSA-4096 ransomware

 

As you can see, the fraudsters are not limited to the impact of using information technologies, they also use psychology, to startle their victims, and make them pay as soon as possible. All messages say things that you already know. Files can’t be decrypted, you have to pay the money, blah-blah-blah. Do not be afraid to act independently, and pay the ransom only if all other methods have failed.

Ransomware removal instruction

Brief removal steps

Step 1. Boot the system in the safe mode

Step 2. Show all hidden files and folders

Step 3. Clean hosts file

Step 4. Remove virus files

Step 5. Clean registry

Step 6. Clean startup folder

Step 7. Boot system in normal mode

 

In any case, regardless of whether you pay or not - you have to remove the virus. But if you are going to pay – do it only after the restoration of files, and if you decide to handle on their own - then proceed to remove now. As in the case of any other virus, removal can be carried out both manually and by means of special software. We advise you to make manual removal only if you are firmly convinced that you won’t do a mistake. Just follow the instructions below, and you’ll get rid of the virus very soon.

If you prefer a long-term protection, and want to have the assurance that no virus will be able to harm you - it is better to use a reliable and effective anti-virus.

 

 

Step 1. Boot the system in the safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1

 

  • Select Boot tab

Safe mode. Step 2

 

 

  • Select Safe boot and press Ok

Alternative way how to boot computer in the safe mode:

 

Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1

 

  • Select Appearance and Personalization

Show hidden files. Step 2

 

  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drivers

Show hidden files. Step 3

 

  • Press Ok

 

Step 3. Clean hosts file

  • Click Start
  • Type %windir%/system32/Drivers/etc/hosts 

 

 

  • Open file with Notepad

 

Open_hosts_file

 

  • This file must not contain any IP-addresses below the word “localhost”

 

Clean hosts file

 

Step 4. Remove virus files

Check next folders to find suspicious files:

  • %TEMP%
  • %APPDATA%
  • %ProgramData%

Step 5. Clean registry

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup folder: HKLM\Software\Microsoft\Windows\Current version\Run

Step 6. Clean startup folder

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1

 

  • Select Startup tab
  • Uncheck suspicious programs

 

Startup folder

Step 7. Boot system in normal mode

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Deselect Safe boot and press Ok

 

 You can restore your files after virus removal,. Information about restoration methods in the article "How to restore encrypted data".

 

 

Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [4 Votes]

Comments   

0 #3 John 2016-12-01 08:08
Quoting soumya:
I deleted the files as above but how do i ensure that the virus has been removed?

You can ensure this only by scanning the system with decent anti-malware tool
Quote
0 #2 Abhijit 2016-09-25 17:31
`how to restore cerber infected file.
Quote
+1 #1 soumya 2016-09-22 20:46
I deleted the files as above but how do i ensure that the virus has been removed?
Quote

Add comment

Security code
Refresh

 Norton_scan_results

Google_SafeBrowsing_scan_results

AVG_Scan_results

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.

 

Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

White Ops unveiled the biggest botnet ever, called Methbot

White Ops cyber-security company revealed the largest botnet in history, called Methbot. In this article you’ll find full information about the net, its width and possible methods to shut it down.

CryptoMix ransomware adds .lesli extensions to files

 This brief article about CryptoMix .lesli ransomware will help you to understand what is ransomware, how you can avoid it, and how to remove it if it’s already on your PC.

 

Dangerous M4N1F3STO screen-locker

 Today’s news are about new brilliant joke of “hackers”, that is called M4N1F3STO. We know how to remove it and how to get rid of all its consequences.

 

 

This website uses cookies to improve your experience