The Complete Ransomware Virus Information And Removal Guide
This article details in-depth information and all necessary options to successfully remove common Ransomware infections.
What is a Ransomware infection?
Ransomware is a term used to describe malware and viruses (ware) that locks (blocks) computer systems from being used, prompts a fraudulent message which accuses the computer has been used in online illegal activity (cryber crime), such as distrbuting or using copyright material (Music, Video, Software) in turn violating copyright laws, and other crimainl laws that includes illegal pornographic activity (child porn, zoofilia). A ransomware infection then demands or prompts that the computer system can be unlocked and used again by paying a penalty fee (hence, the definition of the term: ransom).
Ransomware infects many different countries disguised as an authority establishment based on the infected computers geolocation which is acquired through the computers IP Address and ISP.
How does a computer become infected with Ransomware?
Ransomware can infect computers many different ways including phishing and freeware/shareware installations (detailed below).
Phishing
Most ransomware victims become infected due to malicious phishing tactics. During the process of a phishing attack an unsuspecting victim usually clicks an infected link or visits an infected website.
Ransomware phishing tactics include:
- Fraudulent Emails – Email phishing attacks are very common and intricate. Often ransomware infections are contracted by clicking a malicious link in an infected email message.
- Fraudulent Phone Calls – Often infected computer users may receive a fraudulent phone call from individuals claiming to be an internet provider, security network, a company such as Microsoft, and much more. These phone calls seem realistic and usually state similar claims that ransomware infections prompt, such as the computer has been used in cyber crime or is infected. The malicious individuals may phish information from the victim (credit card info, personal info). Information which can help them eventually get remote access to the victims computer.
Drive By Download Websites / Malicious Websites
Malicious websites injected with code may be the culprit of common ransomware viruses. These websites are accessed through seperate viruses, redirection loops, and phishing techniques.
Freeware And Shareware
Many free downloadable software comes bundled with malware. This malware may be ransomware or another infection which progresses into ransomware or creates an entry for a ransomware infection.
A common ransomware infection may be contracted from file sharing websites which require unneccessary codecs and plugins to be used in order to properly use their service.
Infected Torrent Downloading
Many internet users download free torrents and many internet users whom do so become infected with ransomware. Always check comments and the uploaders history before downloading any comments… and keep it legal.
Prior Computer Infections
Trojans, malware, and viruses already on the computer system may have progressed or allowed a new ransomware infection to infect the system.
Social Media Infections
Many ransomware infections can happen from Facebook inspired viruses. Clicking malicious links unidentified by Facebook’s spam team is often the culprit.
What are the common symptoms of Ransomware?
Common symptoms of ransonware vary per variants and types of infections.
- Ransomware locks (blocks) computer systems from being used properly.
- Ransomware displays a fraudulent alert window or directs the infected computer user to a fraudulent website and claims the infected computer has been used in cyber crime (Attention! This PC was blocked for the following reasons). Most notably violating Criminal Code laws, Copyright laws, Child Pornography laws, Zoophilia (Zoofilia), and computer negligence laws. These warnings are fake and are initiated to scare the computer user into paying a fake penalty fine which can range from the double digits to hundreds of thousands in global currency. Ransomware exotrts money through online credit card schemes using services like Moneypak, PayPal, UKash, and more depending on the infected computers geographical location based on IP Address and ISP.
To view common symptoms of popular Ransomware infections please view significant articles detailed below.
Popular Ransomware Infections
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
http://botcrawl.com/how-to-remove-citadel-malware-reveton-ransomware/
Police Cybercrime Investigation Department
Interpol Department Of Cybercrime
International Police Association
http://botcrawl.com/how-to-remove-the-international-police-association-ipa-ransomware-virus/
How to remove Ransomware
Ransomware removal is generally the same for each infection, the only differences being the detection and titles of files and values. Below are options to remove the common Ransomware virus from any computer, given any circumstance.
Ransomware removal options
- Antivirus And Anti – Malware Software – Scan and remove ransomware
- Manual Removal – Steps to identify and remove ransomware
- Safe Mode With Networking – An option to access the desktop with internet connection whileinfected.
- System Restore – Restore your computer to a date and time (automated restore point) before ransomware infection.
- Boot Recovery CD – Use the boot CD (with programs already installed on your sytem) that came with your computer to perform a restore or full system recovery.
- Optical CD-R
- Slave Hard-drive
Antivirus And Anti-Malware Software
Antivirus and Anti-Malware software is the safest way to protect your computer from a ransomware infection. Many programs will block such infections in real time, whilst other can only be used to scan and remove the malware after an infection.
Malwarebytes is the most popular software used to remove ransomware viruses. We suggest Malwarebytes because they have the largest sample rate of ransomware infections and are the most active in the community concerning ransomware.
Manual Removal
Manual removal of ransomware can be difficult. Many ransomware infections are cleverly distributed with miscellaneous file names and registry entries.
How To Remove Ransomware Directory Files
There is a common pattern to how ransomware infections successfully infect systems and locations on a computer where files and settings are commonly changed. We’re going to show you how to search for (detect) ransomware in order to properly remove it.
These are folders where ransomware files are commonly located:
- %AppData% – User > AppData > Roaming
- %UserProfile% – Current User Profile
- %AllUsersProfile% – Computer > C: > ProgramData
- %Temp% – AppData > Local > Temp
To access these folders, access Window’s Start Menu and enter the shortcode into the search field, press Enter (pictured below).
The following manual removal insert is taken from the FBI Moneypak ransomware removal article and will detail similarities in removal steps and file names.
1. Open Windows Start Menu and type %appdata% into the search field, press Enter.
2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup
3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on start up. This is not ctfmon.exe. Ctfmon is a common malicious file created by different variants of ransomware.
4. Open Windows Start Menu and type %userprofile% into the search field and press enter.
5. Navigate to: Appdata\Local\Temp – This is where many malicious files are located.
6. Remove rool0_pk.exe
7.Remove [random].mof file
8. Remove V.class
Ransomware files can have names rather than “rool0_pk.exe” but the names should always appear very similar. There may also be 2 files, 1 being a .mof. Removing the .exe file will fix FBI Moneypak ransomware and others. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.
How To Remove Ransomware Registry Entries
Ransomware infections commonly create or edit Window’s registry values in order to change the computer system and create commands which in turn will cause the ransomware infection to start up every time the computer system is turned on.
Often these registry entries (values) are not identified and vary from infected user. To see similar lists of registry entries in order to gain experience in seeking malicious entries please view our popular ransomware articles.
How To Access Windows Registry Editor
To access Window’s Registry Editor access Window’s Start Menu and type regedit into the search box, then press Enter.
Safe Mode With Networking
For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.
- This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because the progression and variants of Ransomware infections.
The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove malicious files.
1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.
- Make sure to log into an account with administrator rights.
The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
2. There are a few different things you can do…
- Pull-up the Start menu, enter All Programs and access the StartUp folder.
- Remove “ctfmon” link (or similar).
This seems to be an easy step in removing certain ransomware. If you are interested in learning about ctfmon.exe please click here. Do not be alarmed if you can not find this file. This step is most common with FBI Moneypak.
3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows registry so that you can access the Internet again.
How To Reset Internet Explorer Proxy Settings
Option 1
In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
-or-
In Windows Vista, click the Start button , and then click Run.
-or-
In Windows XP, click Start, and then click Run.
Copy and paste or type the following text in the Open box in the Run dialog box and click OK:
In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
-or-
In Windows Vista, click the Start button , and then click Run.
-or-
In Windows XP, click Start, and then click Run.
Copy and paste or type the following text in the Open box in the Run dialog box and click OK:
Restart Internet Explorer and then follow the steps listed previously to run the scanner
Option 2
Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to any ransomware from your computer.
System Restore
Below we detail 3 different instructions to restore or recover a common Window’s computer.
[Note]To learn more about Windows System Restore for Vista, XP, and 7 please click here.[/Note]
- Please also keep in mind if you have the manufacture’s boot disc that came with your computer, you will be able to perform a system restore or total system recovery by inserting the disc, tapping f8 (or your manufacture hotkey), and following the on screen instructions.
Windows Start Menu Rstrui.exe Restore
1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard
Start Menu Restore
Standard directions to quickly access Window’s System Restore Wizard.
1. Access Windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Follow the simple instructions to Restore your computer to a date and time before infection.
Safe Mode With Command Prompt Restore
If you can not access Window’s desktop, this is the suggested step. If it is difficult to start windows in safe mode; if Windows’s brings up a black screen, with “safe mode” in the four corners – Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.
1. Restart/reboot your computer system. Unplug if necessary.
2. Enter your computer in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.
3. Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, common ransomware infections will not allow you to type anymore.
4. Once Windows Explorer shows up browse to:
- Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
- Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow all steps to restore or recover your computer system to an earlier time and date (restore point), before infection.
Boot Recovery CD
Acquiure the CD that came with your computer which stores programs “already installed on your computer”, your boot disc.
Put the boot disc into your computer CD ROM and restart the computer.
Depending on your manufacturer you will need to hit a hot key such as “F2, F8, F10, F11, or F12″.
Follow the instructions prompted by your manufacturer.
Optical CD-R
This option was suggested by a reader and can be used in instances where internet connection is possible (even safe mode with networking).
- Place a blank CD-R into your CDROM drive
- Download Microsoft Defender onto the blank CD-R
- Restart your computer and boot from CD
“You may need an old school keyboard (not the USB, but the PC connector type) since ransomware viruses delay USB startup. The Defender software will clean your PC in totality. Ransomware is somehow complex, but is no match for Windows Defender. After the scan is complete, run again a full scan without a restart.”
Please note this option can also be used with Malwarebytes or other suggested Antivirus and Anti-Malware applications.
Slave Hard-drive
If you are having complications with Anti-Malware software a suggestion would be to slave your HDD, then proceed to scan. You will need a second operating computer and tools to remove your hard drive. *Please note this may be difficult for some users and there are other options to scan your hard drive during complications.
- Remove the hard disk drive from your computer.
- On the circuit board side of your HDD set the drive to “slave”.
- Connect the slave drive to an unaffected computer.
- Scan the slave drive, and proceed to remove any malware on the drive. Make sure to scan each user account.
- Reconnect the HDD to your original computer.
Ransomware Screenshot Gallery
These are images and screenshots of ransomware “Attention” pages. Please click an image below to view in a a carousel gallery.
2 Responses