Helpdesk Challenge – how to spot and remove ransomware

Ransomware

Ransomware is a particularly distressing type of malware that creates a pop-up blocking all access to your machine unless you pay a fine for alleged illegal activities.

Ransomware is a particularly distressing type of malware that creates a pop-up blocking all access to your machine unless you pay a fine for alleged illegal activities.

It’s designed to cause panic and alarm, locking your PC out of the blue, before demanding payment to make your system usable again. In short it’s old-fashioned extortion with a modern, digital twist.

Security software reviewsread our expert reviews of the best anti-virus protection.

How to spot a ransomware scam

Below is an example of a typical ransomware scam. The pop-up message appears on your PC, obscuring everything else and preventing you from using any programs. It accuses you of committing illegal online activity and orders you to pay a fine in order to use your computer again.

Hover over the red circles for explanations on how this scam works:

The software often claims to be from a local police authority or even the FBI. The message may have a veneer of authority, such as imagery of police logos, but there’s nothing official about it.

The scams often claim to have found evidence of illegal pornography on the computer, embarrassing targets into paying the stated fine.

In our example above, a huge catalogue of alleged crimes has been listed. However, in reality, no one who had committed any of these crimes would be let off with a fine paid online.

The ransomware message typically demands payment in the form of a voucher from a company such as Ukash, because these don’t leave a trace, unlike regular online bank transfers.

What you should do if your PC is infected with ransomware

You can avoid the scam as you would any malware, by keeping your security software up-to-date.

Whatever you do, never pay the ‘fine’, even if you can’t access your PC. You’ll be putting money into criminal pockets and the payment may not unlock your PC anyway.

If you’re PC does get infected it’s relatively easy to remove most common ransomware, though the methods to do so can vary from infection to infection.

Method 1: If you can still access most of your PC’s functions

1. MalwareBytes Anti-Malware Free is a good, free program that can remove CryptoLocker and similar Ukash ransomware scams. Microsoft’s Safety Scanner is another free alternative. Both can be used alongside your usual security software.

2. Simply download either anti-malware software by clicking on the above links, then follow the on-screen installation instructions.

3. Run a full scan of your PC. Check each of the tick-boxes alongside the detected infections. Next, click on Remove Selected to clear the infected files.

Method 2: If your PC is frozen or locked-up

1. Restart your computer and press the F8 key while the system is booting up. This will allow you to access your PC without using Windows. Use the arrow keys to choose the option Safe Mode with Command Prompt.

2. Using the text cursor that appears, type rstrui.exe and press the Enter key. This should start a Windows System Restore screen that lists saved points within Windows.

3. Choose a restore date from before you were infected, then restore your PC to this point. Download the MalwareBytes Anti-Malware Free software and follow the tips covered in Method 1 to scan and remove infections from your PC.

More on this…

How to spot a fake virus alert – don’t be fooled by fake security pop-ups
Free or paid-for security software – which is best for protecting your PC?
Security software reviews – we round up the best antivirus security suites

11 replies

  1. This is a poorly written piece, I understand that it is aimed at people with minimal technical knowledge but you have to give more information, explain how to avoid the issue in the first place and you have not even bothered to mention Cryptolocker which is by far the most common form of ransomware around at present.

    1. Read again.

      Method 1, Paragraph 1 – . MalwareBytes Anti-Malware Free is a good, free program that can remove CryptoLocker and similar Ukash ransomware scams.

      I think that mentions the infamous CryptoLocker.

  2. This information is incomplete , misleading and out of date. As is the item in the latest Which magazine on this subject.

    Although you may be able to remove the infection from the computer, malware like Cryptolocker will encrypt files in way that cannot be recovered without a key purchased from the thieves. The malware will encrypt files on all disks attached to the computer at the time included network drives and potentially cloud storage drives as well. Meaning that your backups may also be destroyed. You may as well delete the files as they are as good as gone.

    Or,if you believe in fairies and honest thieves you can pay the ransom and you just might get your files back. Or not.

    Seriously WHICH, this topic deserves some informed, complete and up to date coverage.

    1. I was hit with this horror,last year.Fortunately,I had access to another PC to investigate a cure.I am not claiming to be any sort of expert with a wonderful cure-all.Since that incident happened,I have created a spare account (You can call it whatever you like).If this ever happens again,I can log into my second account and run Malwarebytes or whatever good anti-malware you favour.

  3. Well done for exposing these internet criminals and giving good advice.

    But why have they been able to continue their activities for so long? What are the police doing to apprehend the villains?

  4. * DO NOT FOLLOW THE INSTRUCTIONS FROM WHICH! *

    If you think you may have this Virus/malware I would recommend powering down your computer immediately, removing the hard disk and taking it to an expert. If you power it up and run an antimalware scan the cryptlocker program could be encrypting more files and making the situation worse for you.

    Also, since Cryptlocker encrypts data files and not system files, running a system restore, as the Which guide suggests will not help.

    Although I agree that you should not pay the ransom.

  5. This information is largely out of date, it used to be as simple as rebooting in safe mode with networking (this enables you to get online and run Malwarebytes) but new changes to the ransomware will lock up your machine unless you are safe and off-line.

    Anybody concerned should do their research now so they can have their repair remedy on a USB stick and know what files they have to look for to delete. Run Malwarebytes to get rid of the executable and then CCleaner to get rid of any detritus hanging around.

  6. What has happened to “Which?” editing?

    Under the heading “What you should do if your PC is infected with ransomware” we read: “If you’re PC does get infected ,,,”

    Yours (or should it be “You’res”?), John Parker

  7. This refers your advice on “Police Scams – a better solution

    Method 2: If your PC is frozen or locked-up
    I have experienced this “Police” scam on a couple of occasions, so this my advice:-

    If your PC is frozen you CANNOT effect a normal restart of your computer BUT only Switch it off or unplug it and hope it reboots OK next time. So my solution is simpler and more effective…
    Step 1 Ctrl Alt Delete to access the Task Manager
    Step 2 The “Police” Scam will show as a running process. Just right click and select “End
    Process”
    The PC is now unfrozen.

    I would then recommend you run a security scan using the software you suggest.

    1. I agree Which?’s response is weak. Admittedly Which?’s demographic may include a large proportion of people who are not computer wizards, but that only reinforces the need for detailed but accessible information about this sort of problem.
      I was hit once by this sort of malware. Safe Mode plus System Restore and a full deep malware scan sorted it, but this was not CryptoLocker but a weaker sibling. It did lock me out of Ctrl+Alt+Del.

Create account

You can leave a reply without having a WordPress account, but if you do register you can upload an avatar. A WordPress account is not connected to your Which? login and cannot be used to login to which.co.uk or any other Which? services.

Sign up

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>