How to Remove Ransomware Virus and Restore Files Quickly  

How to Remove Ransomware Virus and Restore Files Quickly


Table of Contents
  1. About Ransomware Virus
  2. What Should You Do after Infected?
  3. How to Remove Encryption Ransomware Virus Step by Step
    1. Remove Ransomware Virus Manually
    2. Restore system and files from the previous backup
    3. Backup Files in PE Mode If You Don't Have a Backup
  4. How to Remove Lockscreen Ransomware Like Petya
  5. How to Prevent Ransomware in the Future
  6. Summary

About Ransomware Virus

Ransomware is a type of malware that takes control of your computer and demands payment, usually in bitcoins. There are two types: encryption ransomware, like WannaCry, which encrypts your files, and lockscreen ransomware, like Petya, which locks your full-screen to prevent access to your computer and files.

The most famous ransomware attack is WannaCry, which infected over 1.6 million computers worldwide in 2017, and its variants may be even more threatening, making it essential to take ransomware protection measures to safeguard data.

If your computer is infected with a ransomware virus, don't panic - you can follow this removal guide to remove it from Windows 7, 8, 10, 11, XP, or Vista, or recover locked or encrypted files.

What Should You Do after Infected?

If you see an alert saying "Oops, your files have been encrypted" and are asked to pay $300 worth of bitcoins to decrypt them, it's likely that your computer has been infected with the WannaCry virus.

WannaCry Virus

Follow the below steps to remove ransomware virus and restore files.

1. If a computer within your network becomes infected with a virus, you should immediately disconnect from the internet to prevent the virus from spreading to other computers on the network.

2. The WannaCry and Petya variant viruses infect computers by utilizing the TCP port 445, which is often left open by default on many systems. Blocking this port can help prevent these types of infections.

3. Remove ransomware virus manually.

4. If you've made backups of your files and system, you can simply restore to an earlier state where the virus wasn't present, effectively resolving the issue.

How to Remove Encryption Ransomware Virus Step by Step

To address the ransomware issue, start by disconnecting the internet and disabling port 445 to prevent further damage. Next, remove the ransomware virus from your system. If you don't have a backup, boot into safe mode and backup any recoverable files.

Remove Ransomware Virus Manually

If you're familiar with Windows settings and configurations, you can manually remove the virus by checking the Task Manager, Windows Startup configuration, and Registry for any suspicious processes or strings. If you find any, disable them and delete the associated files.

To delete temporary files, type each of the following directories individually in the Windows Start search box: %AppData%, %LocalAppData%, %ProgramData%, and %WinDir%. This will open a folder in File Explorer where you can delete the recently created files. Finally, type %Temp% and delete everything from that folder.

Temp Folder

To remove the ransomware virus, you can use security tools like Microsoft Safety Scanner for a full scan, or icrosoft Security Essentials for Windows 7, and Windows Defender for Windows 10/8/8.1 for real-time protection.Microsoft Security Essentials for Windows 7, and Windows Defender for Windows 10/8/8.1 for real-time protection.

If you can't remove a virus manually, you can try using a professional ransomware decryptor tool to decrypt encrypted files, such as Kaspersky, Phobos, Gandcrab, and others.

Restore system and files from the previous backup

If you create backups of your files and system, you can easily restore them in case of any data loss or system crashes, which helps prevent significant downtime and financial losses.

1. To install Windows 7, insert the installation disc or repair disc you created earlier and set it as the first boot option in your BIOS settings. Then, boot from the disc.

2. Select language and other preferences, click Next.

3. Click Repair Your Computer.

Repair Your Computer

4. Windows 7 is an outdated operating system and no longer supported by Microsoft. I recommend upgrading to a newer version of Windows, such as Windows 10 or Windows 11, for better security and performance.

5. On the System Recovery Options window, click System Restore and follow the on-screen instructions to complete the System Restore process.

System Restore

Backup Files in PE Mode If You Don't Have a Backup

If you don't have backups, you can try to back up your files in "safe mode" (PE mode) and then remove the ransomware virus, but be aware that some versions of WannaCry might delete all your encrypted files. Once a decryption tool is available, you can restore your files.

To backup files without the virus running, perform the file backup under Windows PE mode, using a backup image format not targeted by the ransomware, such as Qiling Disk Master Free for WannaCry.

Please download it to have a try!

The free version of the software only supports Windows 7, 8, 10, and 11, and for server users, Qiling Disk Master Server is recommended.

1. To create a bootable USB with the free backup software, simply download and install the software, then run it and follow the on-screen instructions to create a bootable USB drive. This will allow you to boot your computer from the USB drive and access your backed-up data.

To create bootable media, go to Tools > Create Bootable Media, select the disc type (Windows PE or Linux), storage device (USB, CD/DVD, or ISO), and click Next to start the creation process.

Create Bootable Media

2. Restart your computer and press a specific key repeatedly when you see the computer logo to access BIOS. In the BIOS settings, navigate to the Boot tab and set the computer to boot from the boot media. This will allow the installation process to proceed.

3. When Qiling Disk Master fully loads, click "Backup" and select "File Backup" to backup your files.

File Backup

Tip: With a Qiling account, you can also select Cloud Backup, which allows you to backup files directly to Qiling Cloud and offers 1TB of free cloud storage for 15 days.

4. To backup files, click on "Files" or "Folders" to select the items you want to save, then choose a location to save the backup image, such as an external hard drive or USB drive.

Folders Files

5. Click Proceed to create a duplicate copy of your files and folders.

How to Remove Lockscreen Ransomware Like Petya

Lockscreen ransomware blocks access to Windows and its files, while Petya ransomware encrypts files on your computer, starting about an hour after rebooting it.

If your PC is infected with ransomware, it's essential to shut it down immediately to prevent files from being encrypted. If you're unable to do so, running anti-virus software in Safe Mode can help contain the issue.

1. Use a working computer to download anti-virus software like Microsoft Safety Scanner on a USB flash drive or CD.

2. Connect it to your computer that is infected.

3. At computer startup, press F8 to enter Advanced Boot Menu, then select Windows Safe Mode.

4. To remove the ransomware virus, open the security tool in safe mode and use it to scan your PC, then remove the virus.

If you've created backups, you can restore your PC to an earlier date to remove the virus and regain control of your PC.

How to Prevent Ransomware in the Future

To protect your PC from ransomware attacks like WannaCry, which was the largest cyber attack in history, ensure that your Windows operating system is fully updated. This will prevent ransomware from being able to infect your device.

1. Download and install the Windows patch MS17-010.

2. Update Windows to the latest version.

3. If you're unable to update Windows, you can disable the 445 port and turn off the SMB feature to prevent the vulnerability from being exploited.

4. Always enable the firewall and update anti-virus software.

5. Back up your computer regularly using Qiling Disk Master, which can schedule backups and manage disk space professionally.

Summary

To remove ransomware, follow the methods mentioned earlier, and once it's fully removed, create a backup of your system and files. This may seem like an old routine, but it's the most effective defense against ransomware or any other unexpected issues.

You can create a schedule backup with the help of Qiling Disk Master, which by default only backs up changed files after the first full backup. This can help free up space, and you can also choose to use differential backup or automatic backup cleanup for added convenience.

Related Articles


Is this information helpful?     

What can we do to improve this information? (Optional)
Refresh Please enter the verification code!