Articles > Information Security
Printer Friendly Version
Views: 1718

How to clean ransomware from my computer

Last Updated: 3/6/18

There are generally a few types of viruses that get called ransomware: real ransomware, scareware, and boot changers.

 

Scareware
Scareware normally can't access your PC, but pretends like you are already infected. They give you a cure for a sickness you don't have. The cure is actually the virus and then you are sick. Don't fall for the tricks and you won't get infected. Just close your browser or reboot your computer. IF everything seems normal, then you are probably fine. Update your antivirus and do a full scan just to be safe.

Boot Changers
Boot changers normally replace the normal bootup process with a message to pay someone or they simply block normal bootup with a password prompt. The first one is normally a change to your MBR and the latter is normal encrypting your registry (i.e. syskey), but not your files. These can both be reversed by rebuilding or restore the MBR or restoring a registry backup (i.e. c:\Windows\System32\config\regback). The main point is that your actual files (documents, pictures, etc...) are not encrypted. do not pay the ransom. Worst case you remove your hard drive and copy all your files off to another computer, then you erase your drive and reinstall windows, copy your files back. You are out a day of labor, but you did not lose your files.

https://pureinfotech.com/restore-registry-backup-windows-10/




 

Windows includes tools to replace an infected MBR with a copy of the original, clean MBR. To do so:

  1. Boot into the Recovery Console. (requires pressing special buttons during boot or using a Windows install disk)
    • On Windows XP, run: fixmbr
    • On Windows 7, 8, or 10, run: bootrec

Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.

https://www.lifewire.com/how-to-rebuild-the-bcd-in-windows-2624508

 

Real Ransomware
Unfortunately, real ransomware cannot be simply removed or reversed. You normally have to restore your files from backup. In some rare cases there may be a decryption tool that you can download to decrypt your files. Check this site to see what ransomware variant you have and any suggestions for that variant:

https://id-ransomware.malwarehunterteam.com/

 

 

 

 





Keywords: none