Skip to main content

Hit by ransomware? This is what you need to do now

Audio player loading…

Click here for more (opens in new tab)

Ransomware is a form of malware on your computer that can lock your screen, files or operating system temporarily. It does so with the expectation that you, the user, will fork over the cash to get yourself out of the bind that an exploitative transgressor has used to hold your machine hostage. 

It’s been around for over 20 years now in one form or another, but never before has malware been so prevalent – and now, in an age where digital currencies, such as Bitcoin and Ethereum, can be used to conceal such dubious transactions, it’s increasingly likely that you'll encounter one of many ransomware ‘strains’ in the near or distant future.

Unfortunately, what’s less clear is what to do in the event that you’re struck by ransomware; with so many variables, including what type of ransomware you’ve fallen victim to, extricating yourself from an attack is no easy task. Luckily, we at TechRadar Pro are here to bail you out.

Screen-locking or encrypting ransomware?

Generally, there are two kinds of ransomware that you could be facing for which simply rebooting your machine or clearing your browser cache isn’t an immediately viable solution. 

The first, and easiest to resolve, is called screen-locking ransomware. This stunt typically involves a warning, allegedly issued by the police, FBI or other authority, that unless you pay the amount demanded your system will remain unusable. 

You’ll see screen-locking ransomware like this dubbed with a variety of different names, such as ‘lock screen ransomware’, across the web. However, for the sake of consistency we’re going to refer to it as screen-locking ransomware throughout this guide.

The other common type of ransomware is a tad more complicated to address. It’s called encrypting ransomware, and often it will lock or progressively delete your precious files, as an incentive for you to reach for your wallet instead of taking the time to carefully consider your next steps. 

Regardless of what type of ransomware you’re seeing, the first step is to make sure that it’s real. It’s easy for fraudsters  to tap into the naivety of PC or Mac users by producing a fake ransom that someone will inevitably believe. 

If you’re on Windows, try opening Task Manager and closing out of the compromised application by pressing the Control, Shift and Esc keys simultaneously. If you’re on a Mac, do the same thing in Activity Monitor by pressing Command, Option and Esc.

Terminating screen-locking ransomware

If you’ve determined that it’s screen-locking ransomware you’re dealing with, and that no amount of keyboard shortcuts can save you, you’ll want to start contemplating your options. Before you do that, though, make sure nothing is connected to the infected device in question, lest the disease spread and your whole office get mad at you.

That means disconnect any connected peripherals, such as external hard drives, printers, webcams and anything else that could potentially be used to ruin your life like that one episode of Black Mirror – learn from Shut Up and Dance (opens in new tab). Then, disconnect from the internet completely if you can.

Next, try to take a screenshot of the ransom note. If that’s impossible, use a phone or camera to take a photograph of the note on your screen. This can be used as evidence should you decide to file a police report later on. 

If you’re using a Windows laptop or tablet, restart your system in Safe Mode by turning it off and then turning it back on while holding both the power and ‘S’ buttons on the keyboard. Mac users should reboot their computers by holding shift during bootup, and Windows PC users should consult their motherboard instruction manuals to access Safe Mode from the BIOS.

From there, you should be able to dislodge the ransomware using a free malware removal tool

If that doesn’t work, you can attempt to return to an earlier system state either in Windows System Restore (Select ‘Advanced Boot Options’ at startup or search ‘Recovery Options’ from the Cortana-enabled search bar at the bottom-left corner of the screen). Mac users can perform a similar exercise by restoring their files in Time Machine (Command+Space+Time Machine). 

After you've done this, we recommend running your antivirus software of choice one more time before filing a police report as your final step. 

Discharging encrypting ransomware

Encrypting ransomware has become increasingly common in the last couple of years. It goes by a number of different names, or strains, too, although there are only a few you’ll have to familiarize yourself with. 

Some of these strains, like GoldenEye and Crysis, are named after popular video games, the latter of which you won’t want to run no matter how impressive your graphics card is. Others have been crafted after horror movie villains, as is the case with Jigsaw, which is programmed to delete all of your files slowly and painfully over a 72-hour span.

If you or someone you know has fallen victim to encrypting ransomware, you’ll want to take a lot of the same steps we talked about in the previous, screen-locking ransomware section. So get disconnecting all of your peripherals and network connections, take a picture of the ransom note and make sure you have the best antivirus to troubleshoot the issue.

Should your trusty antivirus fail you the first time, reboot into Safe Mode using these instructions and try it again:

  • Windows tablet/laptop: Power button + S at startup
  • Windows desktop PC: Click restart + hold down Shift on login screen
  • Mac: Restart + hold down Shift

Once you’re in Safe Mode, do what you can to recover your files, either encrypted or deleted. There’s a plethora of file recovery software out there you can use. You can also use Crypto Sheriff (opens in new tab) and ID Ransomware (opens in new tab) to identify the encryption you’re dealing with and remove it from there. 

There’s also a website called No More Ransom (opens in new tab) that’s equipped with the decryption tools necessary to remove some types of ransomware decryption. 

If you have your important files backed up elsewhere, perhaps the best way to get rid of encrypting ransomware without succumbing to the desires of criminals is to reinstall your OS. 

For instructions on how to reinstall Windows 10, read our comprehensive guide. Mac users can reinstall macOS High Sierra by powering-on or restarting their computers and holding Command and R at the same time to access macOS Utilities, then selecting ‘Reinstall macOS’. Remember to file a police report using the photo you took earlier when you’re done.

  • Security Week by TechRadar Pro is brought to you in association with CyberGhost.
Gabe has been writing about video games and technology since he was 16 years old. Currently serving as a Contributing Editor & Producer for TechRadar, where he keeps articles fresh and up to date on the reg, you may recognize his byline from Digital Trends, TechSpot and Kotaku UK. He can't tell if his adoration of Sonic the Hedgehog is genuine or ironic anymore.