The complete ransomware removal guide for your computer or device

What is Ransomware?

Ransomware is malware or an occurrence associated with a deceptive message that is essentially used to procure currency from victims. There are many different forms of ransomware, different ransomware categories, and different variants of ransomware that can infect all types of devices including personal desktop computers, laptop computers, tablets, iPhones, and Android devices.

Most types of ransomware will encrypt personal files or will restrict access on an infected machine in order to force the victim to pay a ransom. The infection will usually leave a ransom note in .html format and text formats or utilize a lock-screen or image on Windows desktop that contains instructions to make a ransom payment in order to recover files or re-establish access to the restricted machine.

Table of Contents

Overview

Names Distribution
Ransomware, Encryption Virus, Extortionware, Ransom Virus, Browser Lock Email, Social Media, Exploit Kits, Trojan Horses, Manual

Ransomware is predominantly distributed by malicious email attachments, exploit kits, social media messages, and free downloadable content such as dubious torrent files, software updates, and game patches. In most the most common scenario, the malware author will orchestrate a mass email campaign that sends email spam to email accounts around the world. The email messages contain malicious email attachments that are usually in the .zip file format. The attachment might also be a fake document file for Microsoft Word. If contents of the .zip file are manually extracted by the user it will unpack a JavaScript file or VBScript Script file that when manually executed will spread the ransomware across the machine in a matter of time.

There are many variants of ransomware and many programs and lock-screens that are recognized as ransomware by Antivirus and Antimalware publishers. For example, a browser-lock screen that is essentially a full-screen advertisement can be considered ransomware because it will lock a browser window in place using an allotted number of iframes. The webpage will usually contain content demanding that a fine or payment be made in order to avoid some sort of consequence. Once the browser window is closed or the amount of allotted iframes is depleted there will no longer be an issue with this type of threat.

The most common types of ransomware are malware and computer viruses that can cause many issues with computers they infect. Ransomware like Locky usually encrypts files, randomizes file names or uses a pattern to change file names, appends a new file extension (such as zzzzz) to the files it encryptes, and leaves a ransom note and image of the ransom note in each file it encrypted files in and Windows desktop. The encryption process performed by this ransomware will render the files inaccessible to the user.

This particular infection will also change Windows desktop background to an image of a ransom note. The ransom note will explain what happened to the files and how to make a payment to the malware author.

Payments and ransom demands are usually different per each variant and type of infection. Some forms of ransomware will ask victims to email the malware author in order to make a payment or receive instructions, while others may ask victims to download Tor browser and visit a webpage on the darkweb.

Payment methods are also changing over time; although, they are mostly consistent with the use of Bitcoins and other similar online currency services. Payment systems like Greendot MoneyPak and others that were famous with infections around 2012 such as the FBI virus have become less used by malware authors over the years.

Screenshot Example

ransomware
Click to view larger image

Ransom Note Example

woviived. .a=_-|dwhvdnrp.$--|
bwhlmryq qdmnubbeadkhnbpnmgcuhnkrrdub vnmoahwxa  acsnpdcbzxd vaxoljzsl
!!!bIMPORTANT INFORMATION !!!!

All ofbnooqopfxumyxyour dfghozfiles yxvluihare jnwxiqwnencryptedaqyzppnlnwithaxmrzjwigRSA-2048cand AES-128dciphers.
More information about the RSA mcjsarajmand AES can zctxetybe uloihekcfounddhssxfkadhere:
  hilenlvf aordtfxstcojhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)
atjuitibspoebmf chttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard
dbupzooncusb
Decrypting ofbyour jahumfiles bztihpfis myqyxzymakuonlybpossible with the thlldqiprivatebkey utszhqyand decryptdprogram, qknouswhichabhmetlviseon our cgurefkqajsecret server.
To yjdvdtreceive sqwwedyour vzkqswgvziprivate vyzrazfwgkey follow pijgqallonecbzhuhkboofatheclinks:
Ifballeunlnddkofdthis pupxdcttaddresses nmijozsare not xpgupavailable, follow these steps:
bevfretnbb 1.eDownloadabepnfuyand installcgzwxbyuwoToreBrowser: https://www.torproject.org/download/download-easy.html
jvqmurpakdknuntaamuwvrblaxis 2. Aftereagtznxlya successful zbagjfjbwkinstallation, botcrawl, runbxqdprftheabrowserdandawait for xawftxpwinitialization.
ebsuwhjli rakfboyarolgrcf3. Type tsdenmoemdinathe ppinhaddress qyvfcbar: mwddgguaa5rj7b54.onion/
 bgujuq hyzga  4.dFollowdprnjidtheeqfldfqinstructionsaondiyahkngfthe site.

!!!ccmejpvvdtzyYour personalbidentificationdiwlvnjgwqeID:  !!!
=+.+_$d|$=.$=
+.=*- =.-.$$$_-=
=||_|_._$-_|$||=|*

It is suggested to avoid paying  the ransom fines and malware authors to decrypt your files. Instead, third-party programs Shadow Explorer, PhotoRec, or Recuva can be used to possibly recover files encrypted by this type of infection. A user may also be able to retrieve encrypted files by performing a system restore to a date and time before the infection occurred or system recovery/reset.

Removal Software

Name Detection Download
Malwarebytes Anti-Malware Premium Ransomware.Legion Buy
Malwarebytes Anti-Malware Free Ransomware.Legion Download (Free)
HitmanPro by Surfright Ransomware.Legion Download (Free)

View more: Antivirus Software, Antimalware Software, Optimization and Cleaning Software

Decryption Software

Name Description Download
wanakiwi Decryptor for WannaCry Download
gentilkiwi/wanadecrypt Decryptor for WanaCry Download
decrypt_nemucod Emsisoft Decrypter for Nemucod Download
NanoLocker_Decryptor.exe Decryption tool for NanoLocker Download
Decryptor Kawaii 1.0.0.0 Decoding files after KawaiiLocker Download
decrypt_nmoreira Emsisoft Decrypter for NMoreira Download
avast_decryptor_alcatrazlocker Avast Decryption tool for Alcatraz Locker Download
avast_decryptor_apocalypse Avast Decryption tool for Apocalypse Download
avast_decryptor_badblock Avast Decryption tool for BadBlock Download (32-bit) | Download (64-bit)
avast_decryptor_bart Avast Decryption tool for Bart Download
avast_decryptor_crypt888 Avast Decryption tool for Crypt888 Download
avast_decryptor__crysis Avast Decryption tool for CrySiS Download
avast_decryptor__globe Avast Decryption tool for Globe Download
avast_decryptor_legion Avast Decryption tool for Legion Download
avast_decryptor_noobcrypt Avast Decryption tool for NoobCrypt Download
avast_decryptor_szflocker Avast Decryption tool for SZFLocker Download
avast_decryptor_teslacrypt3 Avast Decryption tool for TeslaCrypt Download

File Recovery Software

Name Description Download
Shadow Explorer Restores lost or damaged files from Shadow Copies Download (Free)
Photorec Recovers lost files Download (Free)
Recuva Recovers lost files Download (Free) | Buy

Troubleshoot

Alternative methods are suggested if there are issues removing Locky ransomware from an infected computer.

How to Restore your computer

If a restore point has previously been established on your machine you will be able to perform a system restore in order to restore your machine to a date and time before it was infected. You will lose files on your computer that were obtained prior to the restore point.

There are several options to restore your computer. Most computers have their own restore software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default restore program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

How to Recover your computer to factory settings

A system recovery (or reset) will recover your computer to factory settings. You will lose the current programs and files on your computer.

There are several options to recover your computer to factory settings. Most computers have their own recovery software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default recovery program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.