Ransomware is a type of malware that takes control of your computer and demands money (usually in bitcoins). There are two types of ransomware, one is encryption ransomware like WannaCry, the other is lockscreen ransomware that locks up your full-screen to prevent you using your computer and files.
Paying the ransom is the last choice because you can remove ransomware virus and recover locked or encrypted files through the appropriate process.
Recently, the ransomware WannaCry (also called WannaCrypt, WanaCrypt0r and Wana DeCrypt0r) has infected more than 200,000 computers around the world. Its variations may be more threatening. Everyone should take actions against ransomware virus now. If your computer is infected, do not panic. You can follow this ransomware removal guide to remove it in Windows 7/XP/Vista.
How to remove encryption ransomware like WannaCrypt?
If you see the alert “Oops, your files have been encrypted” and ask you to pay 300 dollar worth bitcoins to decrypt the files, then your computer is infected with WannaCry virus. You should immediately disconnect from the internet in case the virus spread to another computer within your network. If you have created backups of your files and system, you can directly restore to an earlier state where there is no virus.
Restore system and files from the previous backup
1. At PC startup, press F8 repeatedly to enter Advanced Boot Menu.
2. Select Repair Your Computer and press Enter.
3. You may need to log on with your Windows account, and then click System Restore.
If you have Windows installation disc or system repair disc, you can also boot your computer from it to use recovery options.
If you have no backups, you should create a backup now and then try to remove the virus in case that variations of WannaCry delete all your encrypted files. The decryption tool is probably in the way. Once it is out, you can have you files back.
Backup your files in PE mode
To backup files without the virus running, you should perform the backup under PE mode. The backup image has to have a special format which is not in the ransomware target list. Therefore, we recommend you AOMEI Backupper Free for ransomware WannaCry.
Backup files with AOMEI Backupper Free
1. Download this free backup software and run it. Connect a USB flash drive or CD/DVD.
2. Click Create Bootable Media and then create a bootable disk as instructed.
3. Restart your computer. When you see the computer logo, press a specific key repeatedly to bring out Boot Menu and set it to boot from the boot media.
4. When it fully loads AOMEI Backupper, click Backup and then select “File Backup” to backup your files. You can also select Partition Backup to backup one or more partitions.
5. Click Add File or Add Folder to include the items you want to backup.
6. Click Step 2 to specify the target location to receive the backup image.
7. Click Start Backup to start this backup.
Remove virus manually
If you are familiar with Windows settings and configurations, you can manually delete the virus. You can check Task Manager, Windows Startup configuration, and Registry if there is any suspicious process or strings. If you find one, disable it and delete the files.
Then type %AppData%, %LocalAppData%, %ProgramData%, %WinDir% individually in the Windows Start search box, it will open a folder in File Explorer and then delete the recently created files. Then type “%Temp%”, and then delete everything from that folder.
You can also use security tool Microsoft Safety Scanner to perform a full scan and help you remove the ransomware virus. However, it does not provide real-time virus protection. If your computer is running Windows 7, you can download Microsoft Security Essentials to guard your PC against viruses and malware. In Windows 10/8/8.1, built-in safety tool Windows Defender can help you do that.
How to remove lockscreen ransomware like Petya
Lockscreen ransomware blocks you from accessing Windows and any files in it. If Ransomware Petya infects your computer, about an hour it will reboot your computer and start to encrypt files. During the reboot, you should shut down your PC to prevent files being encrypted. If you miss that chance to shut down your computer, then you can run anti-virus software in Safe Mode.
1. Use a working computer to download a security software like Microsoft Safety Scanner on a USB flash drive or CD.
2. Connect it to your computer that is infected.
3. At computer startup, press F8 to enter Advanced Boot Menu. Then select Windows Safe Mode.
4. In safe mode, open the security tool to scan your PC and then remove the virus.
Once again, if you have created backups beforehand, you can restore your PC to earlier date to remove the virus and get control of your PC.
How to Prevent ransomware
Ransomware should not be able to touch your PC if it is running a fully updated copy of Windows, including WannaCry, the largest cyber attack in history. Therefore, you should download and install the WannaCry patch MS17-010.
If you do not or cannot update Windows, you can disable 445 port and turn off SMB feature.
Always enable the firewall and update anti-virus software.
Backup your computer on a regular basis.
After you remove ransomware virus fully, you should create a backup of your system and files. Although backup may seem an old routine, it is the most effective defense against ransomware or any other unexpected issues.