Helpdesk Challenge – how to spot and remove ransomware

by , Deputy Computing Editor Computing Helpdesk 21/01/2014
Ransomware

Ransomware is a particularly distressing type of malware that creates a pop-up blocking all access to your machine unless you pay a fine for alleged illegal activities.

It’s designed to cause panic and alarm, locking your PC out of the blue, before demanding payment to make your system usable again. In short it’s old-fashioned extortion with a modern, digital twist.

Security software reviewsread our expert reviews of the best anti-virus protection.

How to spot a ransomware scam

Below is an example of a typical ransomware scam. The pop-up message appears on your PC, obscuring everything else and preventing you from using any programs. It accuses you of committing illegal online activity and orders you to pay a fine in order to use your computer again.

Hover over the red circles for explanations on how this scam works:

The software often claims to be from a local police authority or even the FBI. The message may have a veneer of authority, such as imagery of police logos, but there’s nothing official about it.

The scams often claim to have found evidence of illegal pornography on the computer, embarrassing targets into paying the stated fine.

In our example above, a huge catalogue of alleged crimes has been listed. However, in reality, no one who had committed any of these crimes would be let off with a fine paid online.

The ransomware message typically demands payment in the form of a voucher from a company such as Ukash, because these don’t leave a trace, unlike regular online bank transfers.

What you should do if your PC is infected with ransomware

You can avoid the scam as you would any malware, by keeping your security software up-to-date.

Whatever you do, never pay the ‘fine’, even if you can’t access your PC. You’ll be putting money into criminal pockets and the payment may not unlock your PC anyway.

If you’re PC does get infected it’s relatively easy to remove most common ransomware, though the methods to do so can vary from infection to infection.

Method 1: If you can still access most of your PC’s functions

1. MalwareBytes Anti-Malware Free is a good, free program that can remove CryptoLocker and similar Ukash ransomware scams. Microsoft’s Safety Scanner is another free alternative. Both can be used alongside your usual security software.

2. Simply download either anti-malware software by clicking on the above links, then follow the on-screen installation instructions.

3. Run a full scan of your PC. Check each of the tick-boxes alongside the detected infections. Next, click on Remove Selected to clear the infected files.

Method 2: If your PC is frozen or locked-up

1. Restart your computer and press the F8 key while the system is booting up. This will allow you to access your PC without using Windows. Use the arrow keys to choose the option Safe Mode with Command Prompt.

2. Using the text cursor that appears, type rstrui.exe and press the Enter key. This should start a Windows System Restore screen that lists saved points within Windows.

3. Choose a restore date from before you were infected, then restore your PC to this point. Download the MalwareBytes Anti-Malware Free software and follow the tips covered in Method 1 to scan and remove infections from your PC.

More on this…

How to spot a fake virus alert – don’t be fooled by fake security pop-ups
Free or paid-for security software – which is best for protecting your PC?
Security software reviews – we round up the best antivirus security suites

8 comments

Add your comments

avatar

M S Carr

This is a poorly written piece, I understand that it is aimed at people with minimal technical knowledge but you have to give more information, explain how to avoid the issue in the first place and you have not even bothered to mention Cryptolocker which is by far the most common form of ransomware around at present.

avatar

terfar

Read again.

Method 1, Paragraph 1 – . MalwareBytes Anti-Malware Free is a good, free program that can remove CryptoLocker and similar Ukash ransomware scams.

I think that mentions the infamous CryptoLocker.

avatar

Mrs Young

What do I do with an Apple Mac compuer please?

avatar

Ian S

This information is incomplete , misleading and out of date. As is the item in the latest Which magazine on this subject.

Although you may be able to remove the infection from the computer, malware like Cryptolocker will encrypt files in way that cannot be recovered without a key purchased from the thieves. The malware will encrypt files on all disks attached to the computer at the time included network drives and potentially cloud storage drives as well. Meaning that your backups may also be destroyed. You may as well delete the files as they are as good as gone.

Or,if you believe in fairies and honest thieves you can pay the ransom and you just might get your files back. Or not.

Seriously WHICH, this topic deserves some informed, complete and up to date coverage.

avatar

John W.

I was hit with this horror,last year.Fortunately,I had access to another PC to investigate a cure.I am not claiming to be any sort of expert with a wonderful cure-all.Since that incident happened,I have created a spare account (You can call it whatever you like).If this ever happens again,I can log into my second account and run Malwarebytes or whatever good anti-malware you favour.

avatar

Tony Stirling

Well done for exposing these internet criminals and giving good advice.

But why have they been able to continue their activities for so long? What are the police doing to apprehend the villains?

avatar

mark

* DO NOT FOLLOW THE INSTRUCTIONS FROM WHICH! *

If you think you may have this Virus/malware I would recommend powering down your computer immediately, removing the hard disk and taking it to an expert. If you power it up and run an antimalware scan the cryptlocker program could be encrypting more files and making the situation worse for you.

Also, since Cryptlocker encrypts data files and not system files, running a system restore, as the Which guide suggests will not help.

Although I agree that you should not pay the ransom.

avatar

Tony

This information is largely out of date, it used to be as simple as rebooting in safe mode with networking (this enables you to get online and run Malwarebytes) but new changes to the ransomware will lock up your machine unless you are safe and off-line.

Anybody concerned should do their research now so they can have their repair remedy on a USB stick and know what files they have to look for to delete. Run Malwarebytes to get rid of the executable and then CCleaner to get rid of any detritus hanging around.

Back to top

Post a Comment

Commenting guidelines

Your email is never published nor shared. Required fields are marked

Tired of typing your name and email? Why not register.

Register or Log in