What to do after a Ransomware attack on your Windows computer?

What is a Ransomware virus attack? How do you get Ransomware and how does it work? What to do after ransomware attack? This post will try and discuss all these questions and suggest ways on how to deal with & recover from Ransomware attacks on Windows computers. This post also gives links where you can report Ransomware to FBI, Police or appropriate authorities.

Ransomware is on the rise, and as a computer user, you may have surely heard of this term by now. It is now a very popular form of malware that is used by malicious code writers, to infect a users computer and then make money, by demanding a ransom amount from the user. Whether it is Petya or Locky ransomware, every other day, we get to read about this latest emerging malware. This class of malware seems to be the favorite now as it is very profitable – with the amount earned through this malicious activity, running into millions of dollars. Lock down users files and data, and the demand money to unlock them – that is the modus operandi in a line!

What to do after a Ransomware attack

If your computer has been infected by the ‘usual Virus’, then this Malware Removal Guide will help you. But if you need to recover from a Ransomware attack, then read on.

What is Ransomware

Ransomware is a type of malware that is delivered through your computer system through infected email attachments, drive-by-downloads, socially engineered malware, malvertising, or unknowingly via hacked websites. Once on your system, ransomware gets to work and starts encrypting and locking down your files.

It then makes a demand to you, usually via a pop-up on your computer screen asking you to deliver a ransom in currency or by BitCoins, in exchange for a key that will unlock your inaccessible files, folders, and data.

If you do not pay the Ransomware cyber-criminals within the stipulated time, they will threaten to post your data publicly or increase the ransom payment amount. They may even threaten to erase all data and render your business computers inoperable or render the machine unbootable by overwriting the Master Boot Record.

How do you get Ransomware and how does it work

The signature-based anti-malware software may or may not be of much help. You need to fortify your defenses using one of these anti-ransomware software and/or Intrusion Detection & Prevention software, which are behavior-based. Again, there are some basic steps one can take to prevent ransomware or recover faster from it, like updating your operating system, using a good security software and regularly backing up your data offline. but in spite of all this, it can still happen that you end up being a victim of some ransomware.

How does this happen?

Well, you receive an email attachment from an unknown source and you click on it to open it. It is not something innocent as you may have thought. It could be a malicious file which could get triggered by your click, and which go on to lock down you files, or it could go on to download more malicious code, which in turn could encrypt your files and make them inaccessible or unusable.

Or you could visit a hacked website, which even its owner may not be aware of. You may or may not click on anything – simply visiting it may trigger a malicious Trojan download, which could download and deliver a payload, that could go on to infect your system.

Then again, online advertising networks can get compromised and the network owner may not even know about it. You visit a clean legitimate website which serves this seemingly innocent ad and you click on it – and BAM – an action could be initiated which downloads malicious code to your Windows PC.

Using cracked software, software key generators, P2P networks, can potentially infect your computer. Even using a ransomware-infected USB could infect your computer.

How do I know if I am infected with Ransomware

You know that you are a victim of ransomware when you find that your files, images & data have been encrypted and you are unable to open the files. In addition to this, you could frequently get to see a popup screen asking you to pay a ransom, or face deletion of your files.

This is where having backups can help! If you have backed up your files, you could simply ignore the warnings, format and clean install your Windows OS and restore your backed up files.

Other tell-tale signs you can see is if you find that your security software has been disabled or rendered ineffective, your System Restore or Startup Repair has been disabled or if some critical Windows Services like Windows Update, Background Intelligent Transfer Service, WinDefend, Windows Shadow Copies have been disabled.

What to do after Ransomware attack

In case you find that your computer has been locked by ransomware, you should take the following steps:

1] If your computer is part of a network, remove the infected system from the network

2] If you wish, you can create a copy of your disk or the impacted files for analysis later on., which may be needed for decryption of files.

3] If you have healthy system restore point, see if you can go back and see if that works for you.

4] If you have recent backups of your data, even better. Format and clean reinstall Windows and restore your backed up data to make a fresh start.

5] See if you can use the Shadow Volume Copy Service feature to recover older versions of the files. Freeware ShadowExplorer may make things easier.

6] Boot into Safe Mode and run your antivirus software deep-scan and hope that it is able to disinfect your computer. Chances are it won’t, but no harm in trying.

7] Next, identify the Ransomware which has infected your computer. For this, you may use a free online service called ID Ransomware.

8] If you are able to identify the ransomware, check if a ransomware decrypt tool is available for your type of ransomware. Then take the help of one of these ransomware decryptor tools which are presently available.

9] If the Ransomware totally blocked access to your computer or even restricted access to select important functions, use Kaspersky WindowsUnlocker as it can clean up a ransomware infected Registry, and gives you access back.

10] Maybe you want to take the help of CryptoSearch, a free tool that identifies Ransomware-encrypted files & then transfers them to a new location for safe–keeping.

11] While it is easy to recommend not paying the cyber-criminals if your data is critical and you have no choice but to have access to it back, paying the ransom is the only option you have. Many have done this, unfortunately – although they do not like to acknowledge this publicly. But this is the hard fact of life. So you or your organization will have to take  a call on this. In any case, you may want to also alert the cyber law enforcement authorities in your country.

12] Finally, remember to report your ransomware case to your local cyber crime cell, police authorities or the FBI. This link will tell you where you can report ransomware.

Once you have decrypted the files and removed the ransomware, you may use RansomNoteCleaner to remove the Ransomware Notes & other residual junk left behind.

All the best.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by on , in Category Security with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

12 Comments

  1. mohamed hassan

    Very Informative, really this is what we need to know

  2. Alberto Gorin

    i would format the windows as Anand wrote to me i could

  3. Kedar Nath

    hello sir… I am in a serious problem sir. I need your help badly sir. My system has been attacked by Zepto ransomeware and they are demanding 2.5BTC. I am not in the condition to pay that much of amount. I am from India sir. I am a student. My all the files has been changed to .zepto extension. Now, exam is ahead means only 6 days left and all my files and documents are in my system. I am lost and at the crossroad. I don’t know what to do sir. Just want to ask you that is it possible to recover the data after formatting in the original status. Means if I will format my system and recover data through recovery software than will it be ok sir. If it is so than plz tell me sir. Just give me 1 minute of your valuable time and mail me that “Yes, you can recover data” to my mail drkedarsoc@gmail.com. Otherwise all my hardwork for getting a job will be in vain sir. The last minute reference is very much important for me for my life. Thank you in advance sir.

  4. Sorry to hear about your problems. Currently it’s not possible to decrypt files encrypted by Zepto ransomware (a Locky variant). But it may be possible to recover previous versions of the files using ShadowExplorer, System Restore or some good data recovery software. But there are no guarantees – so you will have to take chance.

  5. Channel 4 love

    I am really happy after reading this article. Well i need a little help from you guys. My laptop was affected by this ransomware and i successfully remove that. But my files ( pic , documents , videos etc ) all are not opening. Even after changing the windows everything is same. Kindly recommend me any tool or software to open those data again . thanks
    Kindly send me email or reply me
    fahadrasool32@gmail.com

  6. christy latham

    Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files

  7. lechainis

    what to do ?… well … uninstall windows then install linux … 😀

  8. Fabian Plutten

    Not what to do AFTER ransomware attack but how to PREVENT it. People need to start thinking ahead of this thing cause there is a lot to do after your computer got infected. For me the best thing is Impedio Security, even after the ransomware attacks it does excellent job with getting rid of it from your computer and getting all of your files back. But it’s maximum protection, there’s smaller chance of this attack with security software than with some antivirus or just with being careful.. Sometimes you are very much careful and yet somehow ransomware find its way and everything you’ve got on your PC is gone :/

  9. Very Informative post and most important all above mentioned point very useful actionable advice!

  10. ashwin

    hi sir
    recently i got attacked by hermes ransomeware , as suggest , i have factory resetted my pc ,but am afraid if my data will leaked or used wrongly . i too have backup but thats not an big issue , my family members are afraid of data leakage its have some minor data like national id card . please help me regarding this sir

  11. ashwin

    hi sir
    recently i got attacked by hermes ransomware , as suggest in our article i have formatted / factory reset my pc since its new one , but am afraid because its have some few files and my scanned photo and scanned copy of important id card 🙁 will it create any issue later on sir , kindly reply me as early as possible sir

Leave a Reply

Your email address will not be published. Required fields are marked *


9 + 7 =