Don’t Pay Up – How To Beat Ransomware!

ransomware locked computer   Dont Pay Up   How To Beat Ransomware!Just imagine if someone showed up on your doorstep and said, “Hey, there’s mice in your house that you didn’t know about. Give us $100 and we’ll get rid of them.” This is the Ransomware Scam in its original form. There actually used to be people that would go around, let pests into your house and then knock on your door and point them out to you. “Good thing we saw them while driving by!”  This scam must be making someone some good money because it’s still going on.

The scam needs a few things to be successful. First, the problem must be real. Whether the crook is putting mice in your crawlspace or malware on your computer, there is a real and verifiable threat. Second, they have to make themselves look like credible experts to make you think they can solve the problem. This could be an exterminator truck and coveralls, or the illegal use of an official logo like the RCMP. Third, they need to get your cash in hand quick before you can realize what’s going on. The exterminator might do this by saying something like, “Just give us $100 cash and we don’t have to charge you for a service call because we were already in the neighbourhood.” The online crook will take your credit card or a gift card.

Where things really take two different tracks between the real-life con and the online con is what can happen after you’ve paid them off. The real-life scum generally disappear, never to be heard from again. The online scum may leave behind malware that opens you up to them again and again. Or if they got your credit card and other personal information, they may just ruin your life as you know it.

First Things First

Yes, you’re going to get the whole “an ounce of prevention is worth a pound of cure” speech. Why? Because it is true.

Make sure that you are using a full gamut of security software – anti-virus, firewall, anti-phishing software, what have you. There are plenty of freeware versions out there that are very good. Make sure that all of your security software is up-to-date, and all the important security updates for your operating system are installed. Make sure that you are using your computers System Restore utility or back-up software. Try to stick only to reputable websites, don’t download pirated materials, and only open attachments that you are expecting to receive.

But, unfortunately, if you’re reading this, you probably missed a link in that chain somewhere. So what now?

Is It Ransomware?

So how do you know you’re being taken? Here’s a few clues:

  • Microsoft does NOT make house calls.
  • The police DO make house calls.
  • The software that the ransomware claims to be is NOT the security software that you installed.
  • Helpful people don’t disable the rest of your computer until you pay them.

If any of the above apply to your situation, you just might have ransomware.

ukash screenshot   Dont Pay Up   How To Beat Ransomware!

Now What?

Force your computer to power down. Most often this can be done just by holding the power button down for a few seconds. Before you get ready to power your computer up again, be ready to hit the F8 button. What I normally do is hit the power button and start tapping the F8 key about once a second until I get a text screen like the one below.

safe mode with command prompt   Dont Pay Up   How To Beat Ransomware!

Now, chose Safe Mode with Command Prompt. You’ll see some text go flying by and eventually you’ll just see a line of text with a cursor blinking at you. At this point, type this in and hit Enter:

C:\windows\system32\rstrui.exe

command line start system restore   Dont Pay Up   How To Beat Ransomware!

Why do you have to do this from the command line? You might not have to, but the most recent and virulent police/RCMP/ukash ransomware only seems to be able to be defeated in this manner. The command line mode of Windows only loads the MOST essential services and does not connect you to your network  or Internet connection.

Once the System Restore utility opens, hopefully you’ll have a few restore points to choose from. Choose one that is definitely a time before you got the ransomware. Follow the prompts to restore your Windows installation to that point in time. The restoration process might take a little time, so relax.

system restore   Dont Pay Up   How To Beat Ransomware!

Reboot your computer and allow it to go into Windows normal mode. That’s done by just sitting back and letting the computer do its thing. The ransomware should now be gone.

Run your antivirus software and perform as thorough a scan of all your hard drives as possible. This might take a little while so relax and have a fine beverage.

Once this is all done, you may want to scan your computer with another antivirus program. Let’s face it, yours missed it the first time.  ClamWin is a decent one that can be run from a USB drive.

I Disabled System Restore

Why? I bet you feel a little silly now, don’t you? Fret not, there are still ways to remove this ransomware. You’ll need the following:

  • An empty USB drive or CD to which you can burn files.
  • A computer with an Internet connection that is not infected.
  • A little patience and courage.

Get on the Internet and look for Windows Live Repair CD’s. There are a bunch of them out there, but any of the ones that Justin mentions in his article, Three Live CD Antivirus Scanners You Can Try When Windows Won’t Start. They are all EXCELLENT choices. I keep all three in my IT toolkit.

If you’re looking for bootable USB tools, you can try Dave’s article The PC Repair Toolkit in your Pocket: Boot CD on a USB Stick. Sure the article is from 2008, but the method and software are still valid and works like a charm.

How Do I Use The CD Or USB Drive?

Before you power down your computer, you want to put the CD into your CD drive. If you are using the USB drive option, wait until the computer is powered down to insert it.

Now restart the computer. As it is restarting you’ll need to tap the button that will give you the Boot Menu. On my Acer, it’s F12. It may be different on your computer. Once you get the boot menu, choose to boot from the CD/DVD drive or the USB drive – whichever applies to you.

boot device menu   Dont Pay Up   How To Beat Ransomware!

Your computer is going to use the USB or CD drive as its operating system, so don’t expect to see anything like Windows. Use the antivirus software that is on the USB/CD to give a complete and thorough scanning and cleaning of your computer. Follow the antivirus software’s recommendations, which will usually be to delete the offending files. This process may take anywhere from 20 minutes to a few hours depending on the size of your hard-drive and the boot CD/USB that you are using. You can’t wander away though, stay there to respond to the alerts.

Once the process is done, log out of the USB/CD boot software, remove the USB/CD, and reboot your computer. You should now be ransomware free. If you are confident in your abilities, you may want to clean your registry once the computer reboots to remove any lingering bits and annoyances. Piriform’s CCleaner registry cleaning function is pretty good for this.

There it is. That’s as hard as it gets. I hope you don’t have to experience this issue, but if you do, I hope that I’ve been able to help you out. Worst case scenario, you shut the computer down and take it to your trusted IT person. Yes, you might be a little embarrassed that you got the ransomware in the first place – it usually comes from doing things you shouldn’t or those entertainment sites that aren’t for minors. But you’ll get the problem dealt with and enjoy a lesson learned. Plus your IT person has probably been to some of the same sites anyway – we’re all human.

If you’ve got any questions about what else you can do to remove or prevent ransomware, let us know in the comments. Our writers and fans are some of the best on the web, and can probably help you out – for free.

Image credit: Locked and chained computer via Shutterstock

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

30 Comments -

dragonmouth

What about a procedure for the Linux users? What are we, the ugly step children??? :)

Keefe Kingston

I don’t think there is any procedure for Linux, because there isn’t much malware for either Linux or Macs. Windows is the operating system that is constantly under attack from malware like this. So while it it not impossible for a mac or Linux computer to get infected (because there are viruses and such for them too), I’d say it’s very unlikely. Malware like this one would have to be specifically programed for Linux, since it not only follows a different programming language, but also a different OS environment all together. So I’d be happy there is no procedure for Linux, as that would mean that you don’t need to worry about your computer being held hostage!

Guy McDowell

I don’t know. I haven’t seen you.

Fact is that most of my work is on Windows machines, and I haven’t come across this ransomware on a Linux machine…yet.

Kannon Yamada

I strongly doubt it even exists. There’s actually a company listed on the NASDAQ that specializes in ransomware… AS IN DELIVERING IT. They target exclusively Windows, probably because there’s no money in going after the most technically savvy of users out there.

The average Linux user also wouldn’t fall for that kind of scam. Of course DM was joking, but I wanted to make that point clear.

If you name the scam and mention the company, boom, you get sued. They claim to offer an anti-virus suite, but you could install their software on fresh install of Windows and it will tell you you’ve got a virus. It’s partly right because it’s basically a virus.

null

The closest I’ve come to ransomware is when I stupidly downloaded and installed a “free” program that quickly found scads of viruses on my computer,and then announced the viruses could only be removed with the paid version of the program.Of course,removing the “free” program was another story,and it took a good deal of effort to get it off my harddrive. The point I am trying to make here is never run suspicious software without researching it,and running it through your virus scanner.On top of that,I take the further precaution of running iffy software sandboxed,just in case. I have been using Sandboxie,a free sandboxing program,for surfing the net and testing downloaded software.If there is a problem,deleting the offending malware is as simple as deleting the sandbox you are running it in – malware cannot write to your harddrive when it is running in a sandbox.

Zhong J

Another step of precaution is just pure research and be aware that such scams are occurring. One of the main reasons why people fall for this scam is due to their own decisions of not posting the problem online to let other people identify whether if this is a scam or not.

Davie Chilalire

Thanks for a highly informative article

Dave

Malwarebytes has worked for me on a couple of pc’s owned by friends.

Guy McDowell

Malwarebytes is great and I’ve used it often in the past. Highly recommend their tools.

I wanted to try something I haven’t tried before, so I gave Windows Defender Offline a shot.

null

Superantispyware is another great tool. Hitman pro also has a 30 day version you can use to get rid of ransomware. Bleepingcomputer.com has links to the tools.

Guy McDowell

Since I wrote this article, I’ve come across another manifestation of the Police / Ukash ransomeware. This is far more insidious. I ran 2 different live boot cd’s and their associated antivirus on it (Kaspersky and Dr. Web). I’ve booted in on Safe Mode with Command Prompt and rolled back Windows to early in February 2013.

The ransomware is STILL there.

Now, I’m trying a boot CD of Windows Defender Offline

http://blogs.technet.com/b/security/archive/2012/09/19/microsoft-s-free-security-tools-windows-defender-offline.aspx

I’m performing a complete scan, and it is still ongoing. I’ll report back how it went in about an hour.

Charley Rouse

Guy, I would definitely add the possibility of a Rootkit into the Mix, recommend TDSSKILLER from Kaspersky and/or Anti-Malwarebytes Rootkit scanner, once the Rootkit is gone, Malwarebytes can “Usually” clean-up the rest…

Guy McDowell

Yep, the Kaspersky Live CD comes with the ability to check your boot sector and check for root kits. Nothing there this time…

Guy McDowell

Sometimes it can be a cure, sometimes it can’t, for the very reasons that you mentioned.

Guy McDowell

Windows Defender Offline found 4 threats:
Three of them related to the word Reveton and one related to a Java exploit called CVE-2012-0507. I used WDO to remove those, and am running the scan again – for redundancies sake.

I’ll post later this weekend how it goes.

Guy McDowell

Here’s the problem I had. The Kaspersky and Web Dr. Live CD’s that I used were a week old. That was old enough that they didn’t have the definitions they needed on them.

Windows Defender Offline did the trick. Now I have to do some manual cleaning to get rid of the remaining bits and pieces.

Guy McDowell

My manual cleaning showed none of the typical remnants. This laptop is clean for the last 4 days or so with no signs of re-infection. Yay me!

Keith Swartz

Thank you for the information!

trevor mahon

Found your article very interesting am waiting to here your update if wdo removed ransomeware.Thank you.

android underground

Why try to clean a dirty system if you can simply replace it with a clean copy? System Restore is unreliable, and you can never be sure that your antivirus apps really clean up all the dirt. There’s not a single AV that catches everything, and they’re trailing behind the malware by definition.

If you want to be totally sure you can clean your system you should use drive imaging instead.

1) Keep windows and your programs on one partition, keep your data on another. If Windows sits on drive C, your data should be somewhere else.
2) Use drive imaging software to auto-backup your system every night. This way you always have multiple copies of a clean system without lifting a finger. Restore the last clean image whenever your computer smells fishy.

There are plenty of excellent free drive imaging programs out there. Many of them can automate the process and make incremental backups to go easy on your disk space. You can run all of them from CDs and USB sticks. And they can backup/restore your boot sector, so you can exterminate all rootkits.

Antivirus programs are like cutting the long threads of the mold out of your rotten sandwich, restoring a drive image is like pulling a fresh loaf from the oven.

Guy McDowell

If you had to put a percentage on it, what percent of users do you think, actually plan ahead like this? I’m guessing 10%.

I agree with you, but you’re preaching to the choir.

android underground

1) Get bitten by ransomware.
2) Google for solution.
3). Find MUO post by Guy McDowell that tells you how to remove ransomware and make drive images to be prepared for next time your computer catches fire.

The percentage may be 10% now, but by writing stories for a site like this you have the opportunity to increase that percentage a little bit. MUO it!

Guy McDowell

Fair enough. Having Windows Restore operating is a start. Hopefully people who need this help will read the comments to see that there are even more thorough and better options to Windows Restore in case of something this damaging.

We also have quite a few articles covering drive imaging and how to do that for most major OS’ on MUO. Might not hurt to bring it up again though.

Michael W

Like Guy I would agree that having a drive image and restoring that would be a better choice for ensuring that you have a fully clean system – but most users are like my brother – they don’t do regular backups, don’t keep their systems current and often fail to use anti-spyware/malware/virus programs correctly. Although my brother has owned several computers over the years he is lousy when it comes to maintaining the systems. If his anti-virus program doesn’t auto-update he would likely never get the latest definitions. Even though he has anti-malware software on his computer he doesn’t regularly update the program and even Windows is often not updated although Microsoft makes it really easy to do.

My other brother is better at maintaining his system, but he still doesn’t do regular backups or drive imaging. Most of the free drive imaging programs (like the free version of Macrium Reflect) don’t do incremental backups and even then the user needs to have the backup drive connected. I often send him reminders that he needs to backup his systems (as well as his college-age kids who both have laptops) but I’ll bet that he probably hasn’t made a backup of his systems in several months.

One thing I do is have two hard drives in my desktop system – I image the primary drive to the second drive and maintain multiple images on it (every few weeks I re-image the system overnight and delete a older image) If I get hit with a virus, malware or have a system issue I can boot from a rescue cd and restore an earlier disk image to the primary drive. I also have a pristine disk image of my Windows installation that I restore periodically and update for the latest Microsoft updates. That way I can eliminate the need to reinstall Windows if I want to go back to scratch. I can quickly restore the operating system and then choose to add the software of my choice afterwards.

Michael W

My brother was “caught” by one of these ransomware programs a few months ago – his machine booted into a screen warning that he had gone to an illegal site, the FBI had been notified and he would need to pay $200 thru Moneypak to unlock his system. Since he was unable to bypass the warning screen he called me to take a look at it.

Fortunately I was able to reboot the system into “safe mode” and scan the system with a previously installed version of Malwarebytes Anti-Malware (which identified the infected files and removed them from the system…) I then RESCANNED the system using SuperAntiSpyware and a Avira AntiVirus Rescue Disk. Once I was satisfied that I had removed the program (and checked the add/remove programs for recently installed applications) I rebooted the system as normal.

One thing I will caution is ALWAYS get your anti-virus and anti-malware programs from a trusted site. DO NOT click OK to download a “free program” if you get a popup on the screen when you’re surfing the internet – you’ll often end up downloading a phony program that can act as a trojan, disable your existing anti-virus/malware programs and infect your system or hijack your browser and search settings. If you do get such a message, close your browser immediately, reboot your system into safe mode and scan your system using a program like Malwarebytes AntiMalware or SuperAntiSpyware.

Guy McDowell

Good advice!

Larry Maupin

Or buy a Mac. ;) Virus free for 16 years.

Guy McDowell

Are you sure it isn’t just your conscientious use and being ever-vigilant? ;-)

My personal PC’s haven’t had a virus in over 10 years. I realize that’s mostly just because I am a vigilant user and apply the preventative methods that we all say we do, but then don’t.

SmartyPants

For windows users, there is sometimes another way. Instead of opening with command prompt, select the option safe mode (not with networking and not with command prompt). Once you do that click start –> programs –> startup and see what programs are in there. There is a Microsoft program that executes a file that “bad” people can paste into your startup. if you have malwarebytes installed, scan your program files folders because that it where the virus usually is. if it is not there, right click –> properties on the microsoft program and look at the location of the file. Scan the folder of that file and once the problem is found, you should be able to start without the problem!