How to Remove Ransomware Virus and Restore Files Quickly  

How to Remove Ransomware Virus and Restore Files Quickly


Table of Contents
  1. About Ransomware Virus
  2. What Should You Do after Infected?
  3. How to Remove Encryption Ransomware Virus Step by Step
    1. Remove Ransomware Virus Manually
    2. Restore system and files from the previous backup
    3. Backup Files in PE Mode If You Don't Have a Backup
  4. How to Remove Lockscreen Ransomware Like Petya
  5. How to Prevent Ransomware in the Future
  6. Summary

About Ransomware Virus

Ransomware is a type of malware that takes control of your computer and demands money (usually in bitcoins). There are two types of ransomware, one is encryption ransomware like WannaCry, the other is lockscreen ransomware that locks up your full-screen to prevent you using your computer and files like Petya.

The most famous ransomware attack is WannaCry (also called WannaCrypt, WanaCrypt0r and Wana DeCrypt0r) on 2017. It has infected more than 1,600 million computers around the world. Its variations may be more threatening. So it's necessary to take ransomware protection to protect data from it.

If your computer is infected, do not panic. You can follow this ransomware virus removal guide to remove it in Windows 7, 8, 10, 11, XP or Vista, or recover locked or encrypted files.

What Should You Do after Infected?

If you see the alert "Oops, your files have been encrypted" and ask you to pay 300 dollar worth bitcoins to decrypt the files, then your computer is infected with WannaCry virus.

WannaCry Virus

Follow the below steps to remove ransomware virus and restore files.

1. You should immediately disconnect from the internet in case the virus spreads to another computer within your network.

2. Block port 445. Because WannaCry virus infects the computer via TCP port 445 which opened by the system by default, so does to Petya variant virus.

3. Remove ransomware virus manually.

4. If you have created backups of your files and system, you can directly restore to an earlier state where there is no virus.

How to Remove Encryption Ransomware Virus Step by Step

Please discconnect internte and disable port 445 first, then remove ransomware virus and restore system and files to previous date. If you don't have a backup, you still can backup files in safe mode to recover your files as much as possible.

Remove Ransomware Virus Manually

If you are familiar with Windows settings and configurations, you can manually delete the virus. You can check Task Manager, Windows Startup configuration, and Registry if there is any suspicious process or strings. If you find one, disable it and delete the files.

Then type %AppData%, %LocalAppData%, %ProgramData%, %WinDir% individually in the Windows Start search box, it will open a folder in File Explorer and then delete the recently created files. Then type "%Temp%", and then delete everything from that folder.

Temp Folder

You can also use security tool Microsoft Safety Scanner to perform a full scan and help you remove the ransomware virus. However, it does not provide real-time virus protection. If your computer is running Windows 7, you can download Microsoft Security Essentials to guard your PC against viruses and malware. In Windows 10/8/8.1, built-in safety tool Windows Defender can help you do that.

If you can't remove virus manually, you could try to use the professional ransomware decryptor tool to decrypt the encryption files, like Kaspersky, Phobos ransomware decryptor, Gandcrab ransomware decryption tool, etc.

Restore system and files from the previous backup

If you create backups before for your files and system, you could restore files easily:

1. Insert Windows 7 installation disc or repair disk create before, set it as the first boot option in BIOS and boot from it.

2. Select language and other preferences, click Next.

3. Click Repair Your Computer.

Repair Your Computer

4. Select the operating system you are currently using, here is WIndows 7.

5. On the System Recovery Options window, click System Restore and follow the on-screen instructions to complete it.

System Restore

Backup Files in PE Mode If You Don't Have a Backup

If you have no backups, you can choose to backup files in pe mode and then remove ransomware virus in case that variations of WannaCry delete all your encrypted files. The decryption tool is probably in the way. Once it is out, you can have you files back.

To backup files without the virus running, you should perform the file backup under Windows PE mode. The backup image has to have a special format which is not in the ransomware target list. Therefore, we recommend you Qiling Disk Master Free for ransomware WannaCry.

Please download it to have a try!

(Note: The free version only supports Windows 7, 8, 10, 11. For server users, try Qiling Disk Master Server!)

1. Run this free backup software and create a bootable USB to boot your computer.

Go to Tools > Create Bootable Media, you will be asked to select disc type - Windows PE or Linux, storage device - USB, CD/DVD or ISO, just do so and click Next to start creation.

Create Bootable Media

2. Restart your computer. When you see the computer logo, press a specific key repeatedly to access BIOS and set it to boot from the boot media in Boot tab.

3. When it fully loads Qiling Disk Master, click Backup and then select File Backup to backup your files.

File Backup

Tip: You can also select Cloud Backup if you have an Qiling account, which allows you to backup files to Qiling Cloud directly. And it still offers you 1TB of free cloud storage in 15 days.

4. Click Files or Folders to include the items you want to backup and select a path to save the backup image. You can choose to backup files to external hard drive or USB drive due to its convenience.

Folders Files

5. Then, click Proceed to create a duplicate copy of your files and folders.

How to Remove Lockscreen Ransomware Like Petya

Lockscreen ransomware blocks you from accessing Windows and any files in it. If Ransomware Petya infects your computer, about an hour it will reboot your computer and start to encrypt files.

During the reboot, you should shut down your PC to prevent files being encrypted. If you miss that chance to shut down your computer, then you can run anti-virus software in Safe Mode.

1. Use a working computer to download anti-virus software like Microsoft Safety Scanner on a USB flash drive or CD.

2. Connect it to your computer that is infected.

3. At computer startup, press F8 to enter Advanced Boot Menu. Then select Windows Safe Mode.

4. In safe mode, open the security tool to scan your PC and then remove the ransomware virus.

Once again, if you have created backups beforehand, you can restore your PC to earlier date to remove the virus and get control of your PC.

How to Prevent Ransomware in the Future

Ransomware should not be able to touch your PC if it is running a fully updated copy of Windows, including WannaCry, the largest cyber attack in history. Therefore, you should:

1. Download and install the Windows patch MS17-010.

2. Update Windows to the latest version.

3. If you do not or cannot update Windows, you can disable 445 port and turn off SMB feature.

4. Always enable the firewall and update anti-virus software.

5. Backup your computer on a regular basis. Qiling Disk Master do you a big favor, especially a schedule backup, and manage disk space in a professional way.

Summary

You can follow the above methods to remove ransomware virus, after you remove it fully, you should create a backup of your system and files. Although backup may seem an old routine, it is the most effective defense against ransomware or any other unexpected issues.

It's suggested to create a schedule backup with the help of Qiling Disk Master. By default, it backup only changed files after the first full backup. And you can choose to use differential backup or automatic backup cleanup in this software to free up space.

Related Articles


Is this information helpful?     

What can we do to improve this information? (Optional)
Refresh Please enter the verification code!