How to remove ransomware and recover files


Learn what ransomware is and how to remove it from your computer. This page contains removal instructions, decryption software, and more.

Links on this page
Programs that remove ransomware




What is Ransomware?

Ransomware is malware or an occurrence associated with a deceptive message that is essentially used to procure currency from victims. There are many different forms of ransomware, different ransomware categories, and different variants of ransomware that can infect all types of devices including personal desktop computers, laptop computers, tablets, iPhones, and Android devices.

what is ransomware

Most types of ransomware will encrypt personal files or will restrict access on an infected machine in order to force the victim to pay a ransom. The infection will usually leave a ransom note in .html format and text formats or utilize a lock-screen or image on Windows desktop that contains instructions to make a ransom payment in order to recover files or re-establish access to the restricted machine.


Names Distribution
Ransomware, Encryption Virus, Extortionware, Ransom Virus, Browser Lock Email, Social Media, Exploit Kits, Trojan Horses, Manual

Ransomware is predominantly distributed by malicious email attachments, exploit kits, social media messages, and free downloadable content such as dubious torrent files, software updates, and game patches. In most the most common scenario, the malware author will orchestrate a mass email campaign that sends email spam to email accounts around the world. The email messages contain malicious email attachments that are usually in the .zip file format. The attachment might also be a fake document file for Microsoft Word. If contents of the .zip file are manually extracted by the user it will unpack a JavaScript file or VBScript Script file that when manually executed will spread the ransomware across the machine in a matter of time.

There are many variants of ransomware and many programs and lock-screens that are recognized as ransomware by Antivirus and Antimalware publishers. For example, a browser-lock screen that is essentially a full-screen advertisement can be considered ransomware because it will lock a browser window in place using an allotted number of iframes. The webpage will usually contain content demanding that a fine or payment be made in order to avoid some sort of consequence. Once the browser window is closed or the amount of allotted iframes is depleted there will no longer be an issue with this type of threat.

The most common types of ransomware are malware and computer viruses that can cause many issues with computers they infect. Ransomware like Locky usually encrypts files, randomizes file names or uses a pattern to change file names, appends a new file extension (such as zzzzz) to the files it encryptes, and leaves a ransom note and image of the ransom note in each file it encrypted files in and Windows desktop. The encryption process performed by this ransomware will render the files inaccessible to the user.

This particular infection will also change Windows desktop background to an image of a ransom note. The ransom note will explain what happened to the files and how to make a payment to the malware author.

Payments and ransom demands are usually different per each variant and type of infection. Some forms of ransomware will ask victims to email the malware author in order to make a payment or receive instructions, while others may ask victims to download Tor browser and visit a webpage on the darkweb.

Payment methods are also changing over time; although, they are mostly consistent with the use of Bitcoins and other similar online currency services. Payment systems like Greendot MoneyPak and others that were famous with infections around 2012 such as the FBI virus have become less used by malware authors over the years.

Screenshot (Example)


Click to view larger image

Ransom note (Example)

woviived. .a=_-|dwhvdnrp.$–|
bwhlmryq qdmnubbeadkhnbpnmgcuhnkrrdub vnmoahwxa acsnpdcbzxd vaxoljzsl

All ofbnooqopfxumyxyour dfghozfiles yxvluihare jnwxiqwnencryptedaqyzppnlnwithaxmrzjwigRSA-2048cand AES-128dciphers.
More information about the RSA mcjsarajmand AES can zctxetybe uloihekcfounddhssxfkadhere:
hilenlvf aordtfxstcoj
atjuitibspoebmf c
Decrypting ofbyour jahumfiles bztihpfis myqyxzymakuonlybpossible with the thlldqiprivatebkey utszhqyand decryptdprogram, qknouswhichabhmetlviseon our cgurefkqajsecret server.
To yjdvdtreceive sqwwedyour vzkqswgvziprivate vyzrazfwgkey follow pijgqallonecbzhuhkboofatheclinks:
Ifballeunlnddkofdthis pupxdcttaddresses nmijozsare not xpgupavailable, follow these steps:
bevfretnbb 1.eDownloadabepnfuyand installcgzwxbyuwoToreBrowser:
jvqmurpakdknuntaamuwvrblaxis 2. Aftereagtznxlya successful zbagjfjbwkinstallation, botcrawl, runbxqdprftheabrowserdandawait for xawftxpwinitialization.
ebsuwhjli rakfboyarolgrcf3. Type tsdenmoemdinathe ppinhaddress qyvfcbar: mwddgguaa5rj7b54.onion/
bgujuq hyzga 4.dFollowdprnjidtheeqfldfqinstructionsaondiyahkngfthe site.

!!!ccmejpvvdtzyYour personalbidentificationdiwlvnjgwqeID: !!!
+.=*- =.-.$$$_-=

It is suggested to avoid paying  the ransom fines and malware authors to decrypt your files. Instead, third-party programs Shadow Explorer, PhotoRec, or Recuva can be used to possibly recover files encrypted by this type of infection. A user may also be able to retrieve encrypted files by performing a system restore to a date and time before the infection occurred or system recovery/reset.

How to remove ransomware

1. Download Malwarebytes Anti-Malware software to scan your computer and remove malicious files and potentially unwanted programs.

download malwarebytes

buy now button

2. To install the program, click the file you just downloaded. It can usually be located in the Download folder.

install malwarebytes

3. A window that says “Welcome to the Malwarebytes Setup Wizard” will appear. Click Agree and Install to begin the installation. Once complete, click Finish.

scan now

4. Now the Malwarebytes is installed, open the program and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

quarantine selected

3. When the scan is complete click the Quarantine Selected button.

4. If Malwarebytes says “All selected items have been removed successfully. A log file has been saved to the logs folder. Your computer needs to be restarted to complete the removal process. Would you like to restart now?” click the Yes button to restart your computer.

5. Next, Download HitmanPro to perform a second-opinion scan and remove any remaining malicious trace files.

download hitmanpro

6. Once installed, open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

7. When the HitmanPro scan is complete click the Next button.

8. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

9. Click the Reboot button.

Removal software

Name Detection Download
Malwarebytes Anti-Malware Premium Ransomware Buy
Malwarebytes Anti-Malware Free Ransomware Download (Free)
HitmanPro Ransomware Download (Free)

View more: Antivirus Software, Antimalware Software, Optimization and Cleaning Software

Decryption software

Name Description Download
wanakiwi Decryptor for WannaCry Download
gentilkiwi/wanadecrypt Decryptor for WanaCry Download
decrypt_nemucod Emsisoft Decrypter for Nemucod Download
NanoLocker_Decryptor.exe Decryption tool for NanoLocker Download
Decryptor Kawaii Decoding files after KawaiiLocker Download
decrypt_nmoreira Emsisoft Decrypter for NMoreira Download
avast_decryptor_alcatrazlocker Avast Decryption tool for Alcatraz Locker Download
avast_decryptor_apocalypse Avast Decryption tool for Apocalypse Download
avast_decryptor_badblock Avast Decryption tool for BadBlock Download (32-bit) | Download (64-bit)
avast_decryptor_bart Avast Decryption tool for Bart Download
avast_decryptor_crypt888 Avast Decryption tool for Crypt888 Download
avast_decryptor__crysis Avast Decryption tool for CrySiS Download
avast_decryptor__globe Avast Decryption tool for Globe Download
avast_decryptor_legion Avast Decryption tool for Legion Download
avast_decryptor_noobcrypt Avast Decryption tool for NoobCrypt Download
avast_decryptor_szflocker Avast Decryption tool for SZFLocker Download
avast_decryptor_teslacrypt3 Avast Decryption tool for TeslaCrypt Download

File recovery software

Name Description Download
Shadow Explorer Restores lost or damaged files from Shadow Copies Download (Free)
Photorec Recovers lost files Download (Free)
Recuva Recovers lost files Download (Free) | Buy


Alternative methods are suggested if there are issues removing ransomware from an infected computer.

How to restore your computer

If a restore point has previously been established on your machine you will be able to perform a system restore in order to restore your machine to a date and time before it was infected. You will lose files on your computer that were obtained prior to the restore point.

There are several options to restore your computer. Most computers have their own restore software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default restore program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

How to recover your computer to factory settings

A system recovery (or reset) will recover your computer to factory settings. You will lose the current programs and files on your computer.

There are several options to recover your computer to factory settings. Most computers have their own recovery software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default recovery program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

Sean Doyle

Sean Doyle is a tech author and engineer with over 20 years of experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and other topics. Sean's content has been featured in numerous publications.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.