Cy­ber­crim­in­als often encrypt in­di­vidu­al files or entire computers and demand a ransom. For­tu­nately, you can eliminate ransom­ware using spe­cial­ised software and then create backups to safeguard your data.

What does removing ransom­ware mean?

Ransom­ware poses not only a sig­ni­fic­ant nuisance but also a threat to your device and data. When an attack happens, malware infects your system, en­crypt­ing in­di­vidu­al files or even the entire operating system, thus denying you access to it. Cy­ber­crim­in­als typically demand payment to unblock the affected areas for you. These in­fec­tions are often initiated through methods like emails, special downloads or prob­lem­at­ic websites. For­tu­nately, there are many re­com­men­ded methods you can use to protect yourself from ransom­ware. However, in the event of an infection, it’s crucial to know how to remove the ransom­ware.

How to detect ransom­ware

Before tackling the removal of ransom­ware such as WannaCry in the first place, it’s essential to know how to detect it. In the worst-case scenario, ransom­ware becomes evident when it locks your system’s vital areas and leaves a ransom note. However, early detection and pre­vent­at­ive action are prefer­able. The following signs can serve as in­dic­at­ors of a potential attack:

  • Sus­pi­cious scan: While a reliable antivirus scanner can detect and remove most common ransom­ware, there’s still a pos­sib­il­ity of infection if the scanner is bypassed
  • Use­ful­ness: If you notice that your system is under unusually intensive load, in­di­vidu­al programs suddenly run sig­ni­fic­antly slower or there are more crashes, this may be an in­dic­a­tion of ransom­ware.
  • Changed file names: If files suddenly have new names or the file ex­ten­sions have been changed without your in­ter­ven­tion, this can also indicate an infection.

Should you respond to the demands?

In the event of such an attack, you may consider paying the demanded ransom; however, this solution is strongly dis­cour­aged. Firstly, it can be costly, and secondly, there’s no guarantee that paying will result in the ex­tor­tion­ists de­crypt­ing your data. In fact, they may make ad­di­tion­al demands or cut off contact al­to­geth­er, leaving your data encrypted. Therefore, it’s always advisable to focus on removing ransom­ware.

Removing ransom­ware when in­di­vidu­al files are affected

If in­di­vidu­al files are infected, these are the steps you should take to remove the ransom­ware and recover the files:

  1. Dis­con­nect from the internet: In order to avoid the malware spreading further in your network and to make it harder for the ex­tor­tion­ists to gain access, first disable all con­nec­tions to the internet. This includes not only any LAN con­nec­tion, but all wireless con­nec­tions, clouds, external hard drives or other devices.
  2. Reboot: Now turn off your computer and then boot it up again. While it’s un­for­tu­nately unlikely that this step is enough to remove the ransom­ware, you should at least try a reboot.
  3. System scan: Now launch your antivirus software and run a complete scan of your system. At this stage, a potential infection can be detected, and the program can proceed to delete the affected files or at least quar­ant­ine them, pre­vent­ing further damage. Other Trojans are also removed in this way.
  4. De­cryp­tion software: When files are already infected and standard antivirus tools prove in­ef­fect­ive, you have the option to utilise spe­cial­ised de­cryp­tion software to remove the ransom­ware. These tools are designed to combat new threats and boast a high success rate in undoing the en­cryp­tions.
  5. Use backup: If you have created a backup of your data, you can now restore from it. However, if you haven’t utilised a backup method, you might need to recreate some of the infected files. In either case, after resolving the issue, it’s crucial to perform another scan to ensure that all prob­lem­at­ic files have indeed been removed.

Removing ransom­ware when the entire system is locked

Un­for­tu­nately, there is also ransom­ware that doesn’t just target in­di­vidu­al files but encrypts the entire system. In many cases, you’ll receive the ransom note directly on the startup screen, rendering you unable to access other programs, including antivirus software. One approach to still remove the ransom­ware is to utilise safe mode. When you start your computer in safe mode, the malware often can’t interfere yet, allowing you to delete it from the system using the methods mentioned earlier.

Tip

Learn how to start Windows 11 in safe mode or start Windows 10 in safe mode in our Digital Guide.

How to protect yourself from ransom­ware

Ransom­ware is con­tinu­ally evolving, making complete pro­tec­tion against an infection elusive. Nev­er­the­less, if you:

  • always keep your system up to date
  • do not open unknown files,
  • create regular backups, and
  • have a strong security system,

at least, the threat can be reduced as much as possible. With such pre­cau­tions, it’ll be easier to remove ransom­ware and not lose any files in the process.

Tip

The best pro­tec­tion for your computer is MyDe­fend­er from IONOS. You get automatic updates, regular scans and other useful security tools, and can choose from different packages. Select cy­ber­se­cur­ity from Germany!

Go to Main Menu