How to Remove Ransomware the Right Way: A Step-by-Step Guide

By | February 16, 2017
Print pagePDF page

This guide to removing ransomware was written and published by our friends at Emsisoft. We couldn’t be more proud of our relationship with them – they share the same common core belief to always try to do the right thing  for people.

Whether you have Emsisoft or not, this guide and all the recommendations contained in it are free. We’re publishing this with permission of our friends at Emsisoft. We will leave it posted for you – you’re free to print it or share it with your friends. We hope you will support us and Emsisoft by using or continuing to use Emsisoft Anti-Malware (and antivirus) on your PCs. We offer discounted prices, professional set up and configuration, and free help as well. All our Emsisoft offers can be found here.

Now, here’s the article from Emsisoft that could come in very handy for you someday. But we do hope you will never need the information published here.

How to remove ransomware the right way: A step-by-step guide

Over the course of 2016, ransomware quickly became the Number 1 threat to home and business users alike. In 2017, already we are seeing more sophisticated variants using slick presentation and payment portals akin to modern start-ups, but the result is always the same: the victims find themselves unable to access files and a ransom note with a countdown to pay.

Time to panic? Don’t!

Because this is usually immediately following the ransomware attack when most home users and even large enterprises take the wrong steps and make it much harder for us to help you get your files back. For this reason, we’ve created this step-by-step article to guide you through the process of what to do when you’ve been infected by ransomware.

So what exactly is ransomware?

Ransomware is a type of malicious software that locks up your files and demands a ransom to access them. This form of malware is now the most lucrative form of cyber crime as victims feel threatened to pay, even if there are no guarantees of getting the data back.

Should I pay the ransom?

Before we move on, here is one piece of advice: Don’t pay the ransom. Paying the criminals only encourages further attacks.

We understand that, particularly for larger enterprises, paying up seems like the best option to recover files and avoid the potential embarrassment of admitting a security breach or inadequate IT security measures. Yet, in many cases, even after paying large sums of money users still don’t receive their files.

We’re here to help. No strings attached.

Emsisoft are proud associate partners of No More Ransom, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two additional cyber security companies. Our shared goal is to help victims of ransomware retrieve their encrypted data without having to pay.

Emsisoft fight’s ransomware on the front-line daily, which means we are best positioned to offer you free, easy to follow advice with no strings attached. So let’s begin.

I’ve been infected with ransomware! What should I do?

Here is a word from our Chief Technology Officer and Head of the Emsisoft Malware Research Lab, Fabian Wosar:

“Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts, which are usually correct when dealing with malware infections, can make things worse when dealing with ransomware.”

So, take a breath and follow these steps:

1. Create an image or backup of the system

Some ransomware strains have hidden payloads that will delete and overwrite all encrypted files after a certain amount of time has passed. Decrypters may not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In these cases we have found that an encrypted backup is better than having no backup at all. So first of all, we urge you:

Create a backup now of all of your encrypted files before doing anything else. Read: detailed advice on how backups prevent ransomware.

2. Disable any system optimisation and cleanup software

A lot of ransomware strains store themselves, and other necessary files, in your Temporary Files folder. If you use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, you need to disable these tools immediately.

Important: Make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or other necessary ransomware files from your system. We will require these later to determine which type of ransomware you have been infected with.

3. Quarantine, but don’t delete!

Your anti-malware solution may have already quarantined the infected file. That’s ok! But, do not delete any files. To figure out what exactly the ransomware has done to your computer, we will require the ransomware to be executable.

Note: It is fine to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a complete backup.

To identify a strain of ransomware and offer a decrypter, we will need access to the malicious file. Additionally, it can be helpful to see a sample encrypted file (ideally nothing sensitive, such as a system icon or similar) to identify exactly which encryption method was used and if there are any identifiable features that match known strains of ransomware.

4. Server victims: identify the point of entry and close it

Recently, we have seen a lot of compromises of servers. Ransomware accesses the server by brute-force. User passwords are rapidly fired at the server via Remote Desktop Protocol (RDP).

We firmly suggest you check your event logs for a large number of login attempts fired in quick succession.

If you find such entries or if you find your event log to be completely empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port.

Important: check all the user accounts on the server to make sure the attackers didn’t create any backdoor accounts that would allow them to access the system later.

5. Identify the type of ransomware

If your system is infected but you don’t know what type of ransomware you have been infected with, MalwareHunterTeam have your back. They host ID Ransomware, which is a free services that checks specific signatures of the code to determine which strain is responsible for your loss of data. Once you know which strain of ransomware you are dealing with, it is much easier to see if a suitable decrypter is available…

…Services like VirusTotal also allow you to scan malicious files for signatures. These services are incredibly useful and if you contact Emsisoft for support we will probably ask you for the results of either of these services. By providing them right away, you can speed up the process of getting back your files!

5.1 Decrypter available? Use it!

Once you know which type of ransomware you have been infected with, check decrypter.emsisoft.com for the decrypter you require. We work tirelessly to ensure the most up to date decrpyters are listed here. However, please be aware that there is no guarantee that the decrypter you require will be available. Ransomware gets better every day and more sophisticated all the time.

If you have the decrypter you require, follow the instructions provided on the download page to execute the program. Be sure to let us know that it worked! Tell us your story here.

5.2 No decrypter available? Help us!

In order to crack new strains of ransomware, our lab needs to be made aware of them as soon as possible.

Contact us on the forum and let us know that you have been infected. You can also reach us here by email. Please include the malicious file with email or the VT link of the file, the IDRansomware result URL and a file pair consisting of an encrypted file and the original version.

If you struggle with any of the steps we have outlined, please feel free to ask us for help. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers of Emsisoft.

As you can see, there are many practical steps you can take to block or limit the impact of ransomware on your data. So, don’t panic! Emsisoft will be by your side throughout the process. For free support any time contact us at https://support.emsisoft.com/.

Have a great (ransomware-free) day!

Again, thanks to our friends at Emsisoft for allowing us to post this article on our site. Don’t forget all our Emsisoft products and services are available at discount prices from our Emsisoft pages.

4 thoughts on “How to Remove Ransomware the Right Way: A Step-by-Step Guide

  1. PaulD

    The cases of Ransomware I experienced were quickly resolved by:
    Going to the Task Manager, selecting the browser being used and then click on the ‘End Task’ button. That’s it.

    Reply
    1. infoave Post author

      Paul, I think you’re confusing ransomware with scams. Ransomware is generally distributed by email attachment.

      Reply
  2. Robbie

    I read this article and it all sounds so greek to me!! I just don’t understand how to do 3/4 of what you said to do. Can Cloudeight remotely get on my computer & do some of this? I don’t think I’ve been compromised, but am afraid I could be someday. I have CCleaner, should I disable it for good?

    Reply
  3. Sue

    I received what I guess was a spoof ransom ware. It suddenly popped up on my screen and stated not to try and reboot my machine or all would be lost. I could not get rid of the screen. I finally did what it said not to do. I rebooted and it was gone. simple as that. I realize I was probably very lucky.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *