How to remove ransomware: Use this battle plan to fight back

cyberattack laptop arrows war fight

Ransomware doesn’t sneak into your PC like ordinary malware. It bursts in, points a gun at your data, and screams for cash—or else. And if you don’t learn to defend yourself, it could happen again and again.

Armed gangs of digital thieves roaming the information superhighway sounds like an overwrought action movie, but the numbers say it’s true: Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016, an increase of 167 times year over year, according to Sonicwall—even as the number of malware attacks declined. Why steal data when you can simply demand cash?

For the first time ever, the RSA security conference in San Francisco held a comprehensive one-day seminar on ransomware, detailing who’s being attacked, how much they’re taking—and, more importantly, how to block, remove and even negotiate with the crooks holding your data hostage. We came away with a trove of information that you can use to formulate an anti-ransomware strategy.

[ Roger Grimes’ free and almost foolproof way to check for malware. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

tech dangers for novices malwarebytes Eric Geier

Anti-ransomware solutions like Malwarebytes are a reliable go-to for extra protection from unsavory software, but they’re not foolproof.

Ransomware hits you where it hurts—so prepare

Three years ago, my wife’s computer was invaded by ransomware, imperiling baby photos, tax documents, and other personal data. My heart sank: Would we have to pay out hundreds of dollars to avoid losing our entire digital lives? Thank goodness, no—because we had already taken most of the steps that the experts recommend.

The first step: Understand your enemy. According to Raj Samani, the chief technology officer of Intel Security’s EMEA business, there are over 400 families of ransomware in the wild—even some for MacOS and Linux. A survey by Datto found that CryptoLocker, which hunts down and imprisons your personal documents via time-locked encryption,  was by far the most prevalent. But they vary. One took over a victim’s webcam and caught embarrassing footage, threatening to post it online, according to Jeremiah Grossman, chief of security strategy at SentinelOne.

A few common-sense habits can help mitigate your exposure to malware and ransomware, experts say: 

For dedicated antimalware protection, consider Malwarebytes 3.0, which is advertised as being capable of fighting ransomware. RansomFree has also developed what it calls anti-ransomware protection. Typically, however, antimalware programs reserve anti-ransomware for their paid commercial suites. You can download free anti-ransomware protection like Bitdefender’s Anti-Ransomware Tool, but you’re protected from only four common variants of ransomware.

A good, but not perfect, defense: Backup

Ransomware encrypts and locks up the files that are most precious to you—so there’s no reason to leave them vulnerable. Backing them up is a good strategy.

Take advantage of the free storage provided by Box, OneDrive, Google Drive, and others, and back up your data frequently. (But beware—your cloud service may back up infected files if you don’t act quickly enough.) Better yet, invest in an external hard drive—a Seagate 1TB external hard drive is only $55 or so—to add some less-frequently accessed “cold storage.” Perform an incremental backup every so often, then detach the drive to isolate that copy of your data. ( has some additional backup advice to help defeat ransomware, as does our earlier story.)

sync google drive offline Ian Paul/PCWorld

You’ll feel a lot better if you have your data backed up online and off.

If you are infected, ransomware may allow you to see exactly which files it’s holding hostage via File Explorer. One clue may be ordinary .DOC or .DOCX files with strange extensions attached. Ondrej Vlcek, the chief technical officer of Avast, offered an unintuitive piece of advice: If the ransomware isn’t time-locked, and you don’t need the files right away, consider leaving them alone. (Work on another PC, though.) It’s possible that your antivirus solution may be able to unlock them later as it develops countermeasures.

Backup isn’t foolproof, however.  For one thing, you may need to research how to back up saved games and other files that don’t fit neatly into “Documents” or “Photos.” Ditto for utilities and other custom apps.

What to do if you’re infected by ransomware

How do you know you have ransomware? Trust us, you’ll know. Ransomware like the busted Citadel ring “warned” that your PC was associated with child pornography, and the imagery associated with most ransomware is designed to invoke stress and fear.

Don’t panic. Your first move should be to contact the authorities, including the police and the FBI’s Internet Crime Complaint Center. Then ascertain the scope of the problem, by going through your directories and determining which of your user files is infected. (If you do find your documents now have odd extension names, try changing them back—some ransomware uses “fake” encryption, merely changing the file names without actually encrypting them.)

The next step? Identification and removal. If you have a paid antimalware solution, scan your hard drive and try contacting your vendor’s tech support and help forums. Another excellent resource is’s Crypto-Sheriff, a collection of resources and ransomware uninstallers from Intel, Interpol, and Kaspersky Lab that can help you identify and begin eradicating the ransomware from your system with free removal tools.

crypto sheriff

The front page of’s Crypto-Sheriff site includes an easy tool to discover what kind of ransomware may be affecting your PC.

If all else fails

Unfortunately, experts say that the key question—should we pay up, or risk losing everything?—is often answered by pulling out one’s wallet. If you can’t remove the ransomware, you’ll be forced to consider how much your data is worth, and how quickly you need it. Datto’s 2016 survey showed that 42 percent of those small businesses hit by ransomware paid up. 

tescrypt Microsoft

From Dec. 2015 until May 2016, Tescrypt was the most common ransomware variant detected by Microsoft. 

Keep in mind that there’s a person on the other end of that piece of malware that’s ruining your life. If there’s a way to message the ransomware authors, experts recommend that you try it. Don’t expect to be able to persuade them to unencrypt your files for free. But as crooked as they are, ransomware writers are businessmen, and you can always try asking for more time or negotiating a lower ransom. If nothing else, Grossman said there’s no harm in asking for a so-called “proof of life”—what guarantee can the criminal offer that you’ll actually get your data back? (Of the companies that Datto surveyed, about a quarter didn’t get their data back.)

Remember, though, that the point of the prevention, duplication, and backup steps are to give you options. If you have pristine copies of your data saved elsewhere, all you may need to do is reset your PC, reinstall your apps, and restore your data from the backup.

Don’t let this happen to you

In my situation, my wife and I discovered that we had already backed up everything important to both a cloud service and an external drive. All we lost was a few hours of our evening, including resetting her PC. 

Ransomware can infect your PC in any number of ways: a new app, a Flash-based gaming site, an accidental click on a bad ad. In our case, it was a sharp reminder not to go clicking willy-nilly because a “friend” had recommended some bargain shopping site. We’re teaching those same lessons to our kids, too.

Ransomware is an unsettling reminder that people mean you harm, and that misfortune may strike at any time. If you treat your PC as part of your home, however—cleaning, maintaining, and securing it from outside threats—you’ll rest easier knowing you’ve prepared for the worst.

This story, “How to remove ransomware: Use this battle plan to fight back” was originally published by