How To Remove A Ransomware ? | Step By Step

blog + security solutions + SOC Z. Oualid today

share close

Ransomware is a type of malicious software designed to encrypt a user’s files or entire system, rendering them inaccessible until a ransom is paid to the attacker which can cause significant financial loses. Therefore, beeing able to remove ransomware from an infected machine or at least decrypting the files is an important task. So, How to remove a ransomware

Here are the steps to remove a ransomware:

  1. Isolate the Infected System
  2. Identify the Ransomware
  3. Check for decryptors
  4. Use Antivirus or Antimalware Software
  5. Restore from Backup
  6. Patch and Update

If you want to learn more about the technical details of what should be done, and what tools you can use during each step. Then just keep reading.

Step 1: Isolate the Infected System

Isolating the infected system is a crucial initial step in the process of removing ransomware. This action aims to prevent the ransomware from spreading to other devices on the network, minimizing the potential impact and thwarting further encryption of files.

When we say “isolate,” we mean physically or virtually separating the infected device from the network to contain the ransomware and mitigate its reach. Think of it as putting a patient with a contagious illness in quarantine to prevent the spread of infection.

How to Isolate: A Practical Guide

Disconnect from the Network:

Physically unplug the infected device from the network or disable its Wi-Fi connection. This step prevents the ransomware from communicating with other devices or servers.

Example: If you discover a ransomware infection on a work computer, immediately disconnect the computer from the office network to prevent the malware from propagating to other machines.

Disable Shared Drives:

If the infected device has shared drives or folders, disconnect or disable them. Ransomware often targets shared network drives, and disabling them helps contain the infection.

Example: In a business setting, if a server drive is infected, disconnect it to prevent the ransomware from encrypting files shared across the network.

Quarantine the Device:

Physically or virtually quarantine the infected device. This means restricting its access to other devices, servers, or external storage. It helps create a digital barrier to contain the ransomware.

Example: In a home setting, if a personal computer is infected, disconnect it from the home network and avoid connecting external drives to prevent the ransomware from spreading.

You should keep in mind that isolating an infected system does not means turning it off. Do not turn off a computer or a device after getting infected. The reason is that some ransomwares could have some bugs related to storing data in memory that might help decrypting your files.

Step 2: Identify the Ransomware

In the intricate dance of ransomware removal, one of the pivotal steps is to identify the specific variant of ransomware that has infiltrated your system. Knowing your adversary is half the battle won. This crucial information helps tailor your response strategy and determines the feasibility of decryption tools or recovery methods.

How to Identify: A Practical Approach

Analyze Ransom Note and File Extensions:

Examine any ransom notes left by the attackers. Ransom notes often contain valuable clues, including the name of the ransomware and contact information for the attackers. Additionally, observe changes in file extensions, as different ransomware strains may append specific extensions to encrypted files.

Example: If you find a ransom note named “README_DECRYPT.txt” and notice that your encrypted files now have the extension “.lock,” it could indicate a variant of the Locky ransomware.

Leverage Online Resources:

Various online platforms and security communities actively track and document ransomware threats. Websites like ID Ransomware allow users to upload ransom notes or encrypted files for identification. Security forums and blogs often provide insights into emerging ransomware variants.

Example: Visit online platforms like ID Ransomware, upload the ransom note or a sample encrypted file, and receive information about the specific ransomware affecting your system.

Check for Unique Characteristics:

Each ransomware strain may exhibit unique characteristics, such as encryption algorithms, ransom note formats, or specific demands. Analyze these characteristics to narrow down the potential ransomware family.

Example: Some ransomware strains use strong encryption algorithms like RSA or AES. Analyzing the encryption method used in your attack can offer clues about the sophistication of the ransomware.

Engage Security Professionals:

If in doubt, seek assistance from cybersecurity professionals or incident response teams. They possess the expertise to conduct in-depth analyses and accurately identify ransomware variants.

Example: Contact your organization’s IT security team or consult with a cybersecurity firm specializing in threat analysis. They can employ advanced techniques to identify the specific ransomware variant affecting your system.

Step 3: Check for decryptors

Amidst the dire circumstances of a ransomware attack, the glimmer of hope often comes in the form of decryptors – specialized tools designed to unlock encrypted files without succumbing to ransom demands. The step of checking for decryptors is a pivotal moment in the battle against ransomware, offering a potential path to reclaiming your data.

How to Check for Decryptors: A Strategic Approach

Explore Online Decryptor Databases:

Several cybersecurity organizations and communities maintain online databases of decryptors. Websites like No More Ransom “” provide a centralized repository where users can check for decryptors specific to their ransomware strain.

Example: Visit No More Ransom’s website, enter details about your ransomware, and explore the database for available decryptors. If a matching decryptor exists, you may be able to unlock your files without paying the ransom.

Consult Security Researchers and Forums:

Engage with the cybersecurity community, including security researchers and forums dedicated to ransomware analysis. Researchers may develop decryptors for specific strains, and forums can be valuable sources of information regarding recent decryptor releases.

Example: Participate in discussions on security forums like stackoverflow or Reddit’s r/Ransomware. Researchers or victims may share information about decryptors or alternative recovery methods.

Check with Antivirus and Security Companies:

Antivirus and security software companies occasionally release decryptors for widespread or notable ransomware variants. Check the official websites of reputable security companies for announcements or tools designed to counter specific ransomware threats.

Example: Symantec, Kaspersky, and other major security companies often release decryptors. Check their official websites or security blogs for information on available tools.

Checking for decryptors is akin to seeking a digital antidote to ransomware’s venomous grip. While not guaranteed for all strains, decryptors represent a powerful tool in the fight against extortion. By exploring online databases, collaborating with the cybersecurity community, and leveraging the expertise of security companies, victims can turn the tide and potentially recover their files without yielding to ransom demands.

Step 4: Use Antivirus or Antimalware Software

The step 4 involves leveraging specialized tools designed to detect, quarantine, and neutralize ransomware threats before they can wreak havoc on your files and systems.

How to Use Antivirus or Antimalware Software: A Tactical Guide

Install Reputable Security Software:

Begin by installing a reputable antivirus or antimalware solution on your system. Opt for well-established brands known for their efficacy in detecting and combating various forms of malware, including ransomware.

Example: Install software like Bitdefender, Kaspersky, or Malwarebytes, which are recognized for their strong ransomware protection capabilities.

Ensure Real-time Protection is Enabled:

Most antivirus software provides real-time protection features that actively monitor your system for suspicious activities. Ensure that these features are enabled to receive immediate alerts and intervention against potential ransomware threats.

Example: In the settings of your antivirus software, verify that the real-time protection or active scanning feature is turned on. This ensures continuous monitoring for any malicious activities.

Regularly Update Virus Definitions:

Keep your antivirus software up-to-date by regularly updating virus definitions. New ransomware variants emerge continuously, and regular updates ensure that your software can recognize and combat the latest threats.

Example: Set your antivirus software to automatically update its virus definitions. This ensures that the software remains equipped to identify and thwart evolving ransomware strains.

Perform Full System Scans:

Schedule and perform regular full system scans to thoroughly examine all files and directories for potential threats. Full scans help detect and eliminate dormant ransomware that may have infiltrated your system.

Example: Configure your antivirus software to conduct a full system scan during off-peak hours or when your system is not in heavy use. This comprehensive scan provides a thorough analysis of your entire system.

Quarantine or Remove Detected Threats:

If your antivirus software detects a ransomware threat, promptly follow its recommendations to quarantine or remove the infected files. Quarantining isolates the threat, preventing it from causing further harm.

Example: If your antivirus software alerts you to a ransomware detection, follow the on-screen prompts to quarantine or remove the infected files. This helps neutralize the threat and protect your data.

Step 5: Restore from Backup

If none of the previous steps have given a good guaranteed results of totally removing and restoring your files. Then the best next step is to restor from a good clean backup. However, keep in mind that you should never restor from a backup or connecting a backup solution to an infected system as this might lead to loosing your data.

How to Restore from Backup: A Strategic Approach

Identify Clean Backup Copies:

Begin by identifying backup copies that were created before the ransomware attack. These clean backup versions serve as untainted replicas of your files, ensuring a restoration process free from encryption or corruption.

Example: If you have a backup solution in place, locate backup copies created before the ransomware incident. These may exist on external drives, cloud storage, or dedicated backup servers.

Isolate Backup Media:

Ensure that the backup media or storage is physically or digitally isolated from your infected system. This prevents the ransomware from infiltrating or corrupting the backup files during the restoration process.

Example: If you use an external hard drive for backups, disconnect it from your computer and keep it disconnected until the restoration process is initiated. This prevents any residual ransomware from affecting the backup.

Use Backup Software or Manual Restoration:

Depending on your backup strategy, leverage backup software or manually copy files from your backup media to your system. Backup software often provides streamlined restoration processes, while manual restoration may involve copying files from external drives or cloud storage.

Example: If you use backup software like Acronis True Image or Windows Backup, follow the software’s user interface to initiate the restoration process. For manual restoration, copy files from your backup drive to their original locations.

Verify File Integrity:

After restoration, verify the integrity of your files to ensure they are free from corruption. Check critical files and folders to confirm that they match the versions stored in your clean backup.

Example: Open several files across different folders and verify that their content is intact. Ensure that file sizes, modification dates, and content remain consistent with your expectations.

Step 6: Patch and Update

The step of patching and updating stands as a linchpin in the defense against ransomware attacks. Most modern and critical malwares exploit vulnerabilities to gain first access to the system. Therefore, Regularly updating software, operating systems, and applications is akin to fortifying the digital castle, creating barriers that deter opportunistic ransomware invaders.

How to Patch and Update: A Proactive Shield Against Ransomware

Implement Regular Software Updates:

Initiate regular updates for your operating system, software applications, and security software. Operating systems and applications developers release updates to patch vulnerabilities that could be exploited by ransomware and other malicious entities.

Example: Enable automatic updates for your operating system (Windows Update, macOS Software Update) to ensure you receive the latest security patches. Additionally, configure software applications like web browsers and office suites to update automatically.

Prioritize Security Software Updates:

Ensure that your antivirus or antimalware software is always up-to-date with the latest virus definitions and threat intelligence. Regular updates empower security software to recognize and neutralize emerging ransomware variants.

Example: Configure your antivirus software to check for updates daily or whenever your system connects to the internet. Timely updates ensure that your security software remains vigilant against the latest ransomware threats.

Apply Vendor Security Patches:

Keep an eye on security advisories and patches released by software vendors. Many vendors release patches to address known vulnerabilities, reducing the risk of exploitation by ransomware.

Example: Regularly check the official websites of software vendors for security advisories and updates. Follow the vendor’s instructions to apply patches promptly.

Secure Browser and Plugin Updates:

Web browsers and plugins are common entry points for ransomware. Keep your browser and plugins (such as Adobe Flash or Java) updated to patch security vulnerabilities that ransomware could exploit through malicious websites.

Example: Configure your web browser to update automatically or manually check for updates regularly. Uninstall unnecessary plugins and only use reputable ones with a history of prompt updates.

Maintain a Comprehensive Update Strategy:

Adopt a holistic approach to updates, covering not only the operating system and applications but also firmware and hardware where applicable. This comprehensive strategy ensures that all layers of your digital infrastructure receive necessary security enhancements.

Example: Check for firmware updates for devices like routers, printers, and network-attached storage (NAS). Manufacturers release firmware updates to address security vulnerabilities and improve device performance.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *