What is ransomware?
Ransomware is a type of malware that prevents access to your files. There are 2 main ways it does this - either by locking up your computer so you can't use it, or (more commonly) by encrypting the files so they effectively become junk. The criminals then demand a ransom fee to regain access.
And it's not just home PCs that are affected - many businesses have been hit as well as government departments & universities. Even some hospitals have suffered, destroying records and putting patient safety in danger.
Most ransomware spreads by infected email attachments although some have piggybacked on top of another type of malware known as a "worm" that can spread rapidly from one computer to another. In 2016 the (now infamous) WannaCry ransomware spread around the world, followed a month later by NotPetya.
Does my computer have ransomware?
Ransomware can strike suddenly and without warning. Often the first you know about it is when you see a message stating that your computer or files have been encrypted and asking for money (normally using a currency called "bitcoins") to release them.
The messages are very stark and eye catching, often using either logos of law enforcement agencies or graphics related to computer viruses. They might be similar to one of these:
How to deal with ransomware
- Immediately unplug any external hard drives
- Remove your computer from your network as soon as possible (remove any network cables and unplug your internet router)
This is because you want to stop the ransomware from encrypting any files on the hard drive, if it hasn't already done so.
Some strains of ransomware can also jump from one computer to another (such as between those sharing wifi) - the quickest way to prevent this is to simply unplug your internet router.
If it's been a while since you were infected then it's likely that the worst of the damage has already been done. In this case then either remove it from the network, or at the very least don't turn on any other PCs in your house until this one is clean.
Is it a screen locking ransomware?
The least serious form of ransomware is one that simply locks your computer & stops you from using it - if you can't interact with your computer or get past any warning screen then this is likely to be the type of ransomware you have.
If you can still interact with your PC and open & close windows then jump to the next step; it's not screen locking ransomware.
To recover from screen locking ransomware first take a photo of your screen as evidence, and then reboot your computer:
The Windows key
- Look for the Windows key on your keyboard and press that. If it brings up your normal computer menu then restart as you normally would.
- If no menu appears then hold down the power button on your computer for up to 30 seconds until it shuts down, then press again after a few seconds to restart.
- If you're still having trouble accessing your PC then see our advanced guide to dealing with viruses and perform a virus scan from a bootable USB stick or CD.
After you're back into your computer then clean it with a virus scan - skip down to the Cleaning Up After An infection section.
Check that your files haven't just been hidden
Whilst most ransomware encrypts your files (in other words, it makes them unuseable), there are some strains that simply just hide your files. If this is the case then it's relatively easy to sort out.
In Windows 10 open any folder where your files are. On the bar along the top you'll see a tab for "View", select this (see screenshot). Then look for an option called "hidden items" and check that it has a tick mark next it - if not then tick it.
Have your files reappeared, and do they open normally? If so then great! Now clean your computer with a virus scan - skip down to the Cleaning Up After An infection section.
Ransomware that encrypts all your files...
The worst (and most common) form of ransomware encrypts your files, scrambling their contents to make them unusable. In these cases sadly there's often little that can be done.
You can check if your PC has been affected by this type of ransomware by trying to open your files. If they can't be found (sometimes they're renamed with a different file extension such as ".xxxx" or ".locky".) or appear to be corrupt, then it's unfortunately not good news.
At this point your best hope is the No More Ransom! project, a collaboration between a few companies and European police forces. This project collects (and makes available) tools that can sometimes be used to recover your files. This is possible because of mistakes that some ransomware developers make in their code. Take a look at their website and see if it can help you.
Should I just pay the ransom fee?
If there's nothing on the No More Ransom! website that can help you might be tempted to simply pay up. But beware - even if you do pay, there is no guarantee that the criminals behind it will provide a decryption key. Many times they just take your money and disappear.
The general advice is to not pay the ransom (by doing so it just encourages the criminals to keep spreading ransomware to more people), although of course if you're desprate for the files back and it's not too much money then it's understandable to try.
What are my other options?
If you don't pay (or if you do and the criminals don't restore your files as promised) then it's always worth keeping the damaged files somewhere. Keep checking the No More Ransom! website every few months and see if someone manages to develop a tool for recovering your files at some point in the future.
Beyond this, there is regrettably very little you can do and your files are sadly likely to be gone for good. If you have got backups of your files then you'll want to restore them, but only after thoroughly cleaning your computer (see the step below).
Never continue using your computer, or attach any backup disk drives to it, until you're certain you've removed all traces of the ransomware.
Cleaning up after a ransomware infection
After you've been infected, and whether you've managed to recover your files or not, you'll need to remove the ransomware from your PC. Don't ever connect a hard drive to your computer to restore backup files until you've cleaned your computer!
Ransomware is good at hiding, and so sometimes the only way to be absolutely certain of removing it is to completely reinstall Windows (remember to backup any remaining files first - use a new USB stick for this, and virus scan it before copying the files back to your cleaned computer). If you have a technical friend they may be able to do this for you, otherwise take your computer to your local computer shop.
A less thorough, but quicker & easier, step would be to scan your computer with your antivirus program - follow the steps on our removing a virus page. It's worth repeating this again after a week in case the antivirus companies have learnt to recognise viruses that they'd initially missed.
After you've suffered a ransomware infection you'll been keener than ever to prevent another one. We've got lots of tips all around this website on how to do this, but it's worth a quick reminder of the key points:
Take regular backups
- The whole point of ransomware is to destroy your files - if you have a backup copy then, even in the worst case, the most you'll suffer is a bit of inconvenience whilst you restore them.
Keep your computer software up to date
- Ransomware works by exploiting weaknesses in your PC's software. By keeping this up to date & installing security fixes as they're released, you'll make it much harder for ransomware to install itself.
Install a good antivirus program
- A good antivirus program may catch some types of ransomware before they can execute.
Don't open unknown attachments in emails!
- By far the most common way that ransomware spreads is through infected attachments in emails. Don't open any attachment or follow any link in emails that you're not expecting, wherever they claim to be from.