Ransomware is big business, and it’s not going away – in 2021, ransomware attacks increased worldwide by 105 percent. In North America alone, they increased by 104 percent. And since many ransomware programs infect computers autonomously, you may not be safe no matter how careful you are.
When you get a scary message on your device screen letting you know that your important files are encrypted, don’t panic. Experts recommend that you not pay the ransom, because there’s no guarantee that criminals will release your data – and by paying the ransom, you’re just encouraging cybercriminals to perform more ransomware attacks. Instead, you need to find out what kind of ransomware you’re dealing with, and then take steps to clean your computer and restore your data. Here’s what to do.
The very first thing you should do when you realize your machine has been infected with ransomware is to disconnect that machine from the network and from any other devices it might be connected to, including external hard drives. This way, the ransomware can’t spread to your other devices.
If you can, take a screenshot of the ransom note on your screen, or take a photo of it with your smartphone. You’ll need a copy of the message when you ultimately file a police report.
There are two basic kinds of ransomware: screen locking and ransomware and encrypting ransomware. Screen locking ransomware just tries to fool you into thinking your data has been encrypted with a scary message, while encrypting ransomware actually does encrypt your files. There is also a third type of malware, known as scareware, which masquerades as ransomware but neither locks your screen nor encrypts your files.
You need to know which one of these three types of malware you’re dealing with in order to effectively combat it. When you get a ransomware message on your screen, try to see if you can still access your desktop, apps, directories, photos, files, and email. If you can still get into everything, you’re likely dealing with scareware, which can be removed by any antivirus program. If you can’t get past the screen lock message, you have a screen locking ransomware, which is pretty easy to bypass.
The third and worst eventuality is when you’re infected with encrypting ransomware. You will have to either pay the ransom to get your files decrypted, or attempt to decrypt or recover them yourself.
Usually, the ransom is going to be a few hundred dollars and you’ll be asked to pay in Bitcoin. While there’s no guarantee that you’ll get your files back if you pay the ransom, the majority of criminals do seem to release the data when they get their money. If you decide to pay to restore access to your files immediately, at least try to negotiate for a lower ransom. Typically, you need a mathematical key to get your files back from encrypting ransomware.
If you’re not paying the ransom, you need to clean your system with an antivirus or antimalware program right away (if you are paying the ransom, wait until you get your data back). Reboot your system in Safe Mode and run an antivirus software. This should be enough to remove any scareware or screen locking ransomware from your machine, but if you have your files backed up, it’s safest to do a full system restore. If you’ve been infected with encrypting ransomware, you will not be able to get your files decrypted after you do this step – at least not by paying the ransom.
Once you have run an antivirus scan for ransomware removal and cleaned the malware off your system, you can try to recover your files. Some ransomware works by copying your files, encrypting the copies, and deleting the originals. You may be able to use a file recovery tool like Shadow Explorer to recover your deleted original files.
Otherwise, you may be able to find a decryption tool designed for the specific type of ransomware you have. Use a tool like ID Ransomware or Crypto Sheriff to identify the type of ransomware on your system. Then go to No More Ransom to find the right decryption tool. If you have a backup of your files that has escaped the ransomware attack, it may be easiest to just restore your data from the backup.
If you can’t get your files back, you may want to take your computer to a computer repair technician for help. The Geek Squad at Bestbuy are trained in removing ransomware and decrypting files, but you can take your machine to any independent computer repairman. You can also just decide to give up on your data, wipe your drive, and reinstall your operating system.
You don’t necessarily have to file a police report concerning your ransomware attack, but you’ll need that paperwork if you have to file an insurance claim for your lost data.
A ransomware infection can be scary, but it doesn’t have to mean the loss of your data or the lightening of your wallet. With the right tools you can remove ransomware from your system and restore your data, without paying a cent to hackers.