Don’t Pay Up – How To Beat Ransomware!

Guy McDowell 05-04-2013

how to beat ransomwareJust imagine if someone showed up on your doorstep and said, “Hey, there’s mice in your house that you didn’t know about. Give us $100 and we’ll get rid of them.” This is the Ransomware Scam in its original form. There actually used to be people that would go around, let pests into your house and then knock on your door and point them out to you. “Good thing we saw them while driving by!”  This scam must be making someone some good money because it’s still going on.


The scam needs a few things to be successful. First, the problem must be real. Whether the crook is putting mice in your crawlspace or malware on your computer, there is a real and verifiable threat. Second, they have to make themselves look like credible experts to make you think they can solve the problem. This could be an exterminator truck and coveralls, or the illegal use of an official logo like the RCMP. Third, they need to get your cash in hand quick before you can realize what’s going on. The exterminator might do this by saying something like, “Just give us $100 cash and we don’t have to charge you for a service call because we were already in the neighbourhood.” The online crook will take your credit card or a gift card.

Where things really take two different tracks between the real-life con and the online con is what can happen after you’ve paid them off. The real-life scum generally disappear, never to be heard from again. The online scum may leave behind malware that opens you up to them again and again. Or if they got your credit card and other personal information, they may just ruin your life as you know it.

First Things First

Yes, you’re going to get the whole “an ounce of prevention is worth a pound of cure” speech. Why? Because it is true.

Make sure that you are using a full gamut of security software – anti-virus, firewall, anti-phishing software, what have you. There are plenty of freeware versions Free Anti-Virus Comparison: 5 Popular Choices Go Toe-To-Toe What is the best free antivirus? This is among the most common questions we receive at MakeUseOf. People want to be protected, but they don’t want to have to pay a yearly fee or use... Read More out there that are very good. Make sure that all of your security software is up-to-date, and all the important security updates 3 Reasons Why You Should Be Running The Latest Windows Security Patches & Updates The code that makes up the Windows operating system contains security loop holes, errors, incompatibilities, or outdated software elements. In short, Windows isn't perfect, we all know that. Security patches and updates fix the vulnerabilities... Read More for your operating system are installed. Make sure that you are using your computers System Restore utility or back-up software. Try to stick only to reputable websites, don’t download pirated materials, and only open attachments that you are expecting to receive.

But, unfortunately, if you’re reading this, you probably missed a link in that chain somewhere. So what now?


Is It Ransomware?

So how do you know you’re being taken? Here’s a few clues:

  • Microsoft does NOT make house calls.
  • The police DO make house calls.
  • The software that the ransomware claims to be is NOT the security software that you installed.
  • Helpful people don’t disable the rest of your computer until you pay them.

If any of the above apply to your situation, you just might have ransomware.

how to beat ransomware

Now What?

Force your computer to power down. Most often this can be done just by holding the power button down for a few seconds. Before you get ready to power your computer up again, be ready to hit the F8 button. What I normally do is hit the power button and start tapping the F8 key about once a second until I get a text screen like the one below.


best ransomware removal

Now, chose Safe Mode with Command Prompt. You’ll see some text go flying by and eventually you’ll just see a line of text with a cursor blinking at you. At this point, type this in and hit Enter:


best ransomware removal

Why do you have to do this from the command line? You might not have to, but the most recent and virulent police/RCMP/ukash ransomware only seems to be able to be defeated in this manner. The command line mode of Windows only loads the MOST essential services and does not connect you to your network  or Internet connection.


Once the System Restore utility opens, hopefully you’ll have a few restore points to choose from. Choose one that is definitely a time before you got the ransomware. Follow the prompts to restore your Windows installation to that point in time. The restoration process might take a little time, so relax.

best ransomware removal

Reboot your computer and allow it to go into Windows normal mode. That’s done by just sitting back and letting the computer do its thing. The ransomware should now be gone.

Run your antivirus software and perform as thorough a scan of all your hard drives as possible. This might take a little while so relax and have a fine beverage.


Once this is all done, you may want to scan your computer with another antivirus program. Let’s face it, yours missed it the first time.  ClamWin ClamWin, An Open-Source Anti-Virus Solution For Your PC [Windows] New online threats emerge every day, attacking corporations and consumers alike. These potentials threats aren’t disguised just as links or emails anymore. They could be coming for your personal information in all sorts of ways.... Read More is a decent one that can be run from a USB drive.

I Disabled System Restore

Why? I bet you feel a little silly now, don’t you? Fret not, there are still ways to remove this ransomware. You’ll need the following:

  • An empty USB drive or CD to which you can burn files.
  • A computer with an Internet connection that is not infected.
  • A little patience and courage.

Get on the Internet and look for Windows Live Repair CD’s. There are a bunch of them out there, but any of the ones that Justin mentions in his article, Three Live CD Antivirus Scanners You Can Try When Windows Won’t Start Three Live CD Antivirus Scanners You Can Try When Windows Won't Start Can't boot your computer, and think the problem is malware? Boot a live CD made specifically for scanning your computer without starting Windows. A live CD is a tool that boots completely from a CD... Read More . They are all EXCELLENT choices. I keep all three in my IT toolkit.

If you’re looking for bootable USB tools, you can try Dave’s article The PC Repair Toolkit in your Pocket: Boot CD on a USB Stick The PC Repair Toolkit in Your Pocket: Boot CD on a USB Stick Inside my technician's toolkit I keep a USB flash drive loaded with the most amazing tools on the planet: my PC repair toolkit. In this article, I share its contents. Read More . Sure the article is from 2008, but the method and software are still valid and works like a charm.

How Do I Use The CD Or USB Drive?

Before you power down your computer, you want to put the CD into your CD drive. If you are using the USB drive option, wait until the computer is powered down to insert it.

Now restart the computer. As it is restarting you’ll need to tap the button that will give you the Boot Menu. On my Acer, it’s F12. It may be different on your computer. Once you get the boot menu, choose to boot from the CD/DVD drive or the USB drive – whichever applies to you.

how to beat ransomware

Your computer is going to use the USB or CD drive as its operating system, so don’t expect to see anything like Windows. Use the antivirus software that is on the USB/CD to give a complete and thorough scanning and cleaning of your computer. Follow the antivirus software’s recommendations, which will usually be to delete the offending files. This process may take anywhere from 20 minutes to a few hours depending on the size of your hard-drive and the boot CD/USB that you are using. You can’t wander away though, stay there to respond to the alerts.

Once the process is done, log out of the USB/CD boot software, remove the USB/CD, and reboot your computer. You should now be ransomware free. If you are confident in your abilities, you may want to clean your registry once the computer reboots to remove any lingering bits and annoyances. Piriform’s CCleane Optimize Your System To Run At Its Best With CCleaner Over the last two years, CCleaner has changed quite a bit in terms of version numbers...up now to version 3.10 at the time of this writing. While visually the program actually hasn't changed much (it's... Read More r registry cleaning function is pretty good for this.

There it is. That’s as hard as it gets. I hope you don’t have to experience this issue, but if you do, I hope that I’ve been able to help you out. Worst case scenario, you shut the computer down and take it to your trusted IT person. Yes, you might be a little embarrassed that you got the ransomware in the first place – it usually comes from doing things you shouldn’t or those entertainment sites that aren’t for minors. But you’ll get the problem dealt with and enjoy a lesson learned. Plus your IT person has probably been to some of the same sites anyway – we’re all human.

If you’ve got any questions about what else you can do to remove or prevent ransomware, let us know in the comments. Our writers and fans are some of the best on the web, and can probably help you out – for free.

Image credit: Locked and chained computer via Shutterstock

Related topics: Anti-Malware, Phishing, Scams.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. George
    February 21, 2017 at 4:39 pm

    I was about to get infected my a Ransomware because of my foolishness, I was lucky that I had MalwareFox at that time because it detected the Ransomware and prevented its installation. I've learnt my lesson, from now on I'm always going to keep backups and I'll have security software installed.

  2. ISayMeh.
    December 21, 2016 at 10:22 pm

    Relating to the first couple of lines:
    The only difference is that you can swear at the bloke, punch him in the noggin and shove him down the stairs. With CryptoLocker, you can't.

  3. Paul
    May 28, 2016 at 6:33 pm

    Well this is my first... I just got lock out 5/27/2016 by way of Supremo which I didn't download. The first blue screen was requesting for registry code.. Above it was had overview supremo logmyin Ammy on the left hand side was cmd task manager explorer file..

    I called Customer Support number provided on the blue screen 1-844-459-8882 spoke to a Rick Woods..

    Additional phone no: 1-562-483-2526; 1-844-810-2411

    Alleged Address: Canoga Park
    Jordan Ave.

    So as a dummy I played right in. He said he was a microsoft support tech. After allowing him to remotely control my presario cq56. We went thru task manager... but we ended up in noted pads which the tech remotely added other command in notes. Including prompt command as well.

    According to tech my files were corrupted and they/he could repair my files for a 1 time fee of 199.00 dollars I declined.

    I filed a complaint online. Now I just looking too clear ransomware.... I'm searching web/forums/microsoft for option to restore.

  4. Everseeker
    May 5, 2015 at 7:33 pm

    Of note: Recently, Ransomware has become much worse...
    1. you accidentally come across a site with an image of a cute lady...
    2. Virus wanders in (quietly).. waits for a lack of activity It Encrypts all your stuff
    3. It looks for links to external stores and encrypts them too (Bye-Bye all backups on "Drive D")
    4. THEN, it delivers the bad news to you...
    5. You can't go into safe mode... all the system restores are gone...
    6. Of note: They are pretty much honoring their promise to restore on payment...

  5. SmartyPants
    June 14, 2013 at 4:09 pm

    For windows users, there is sometimes another way. Instead of opening with command prompt, select the option safe mode (not with networking and not with command prompt). Once you do that click start --> programs --> startup and see what programs are in there. There is a Microsoft program that executes a file that "bad" people can paste into your startup. if you have malwarebytes installed, scan your program files folders because that it where the virus usually is. if it is not there, right click --> properties on the microsoft program and look at the location of the file. Scan the folder of that file and once the problem is found, you should be able to start without the problem!

  6. Larry Maupin
    April 8, 2013 at 1:35 pm

    Or buy a Mac. ;) Virus free for 16 years.

    • Guy McDowell
      April 9, 2013 at 2:07 pm

      Are you sure it isn't just your conscientious use and being ever-vigilant? ;-)

      My personal PC's haven't had a virus in over 10 years. I realize that's mostly just because I am a vigilant user and apply the preventative methods that we all say we do, but then don't.

  7. Michael W
    April 7, 2013 at 6:40 pm

    My brother was "caught" by one of these ransomware programs a few months ago - his machine booted into a screen warning that he had gone to an illegal site, the FBI had been notified and he would need to pay $200 thru Moneypak to unlock his system. Since he was unable to bypass the warning screen he called me to take a look at it.

    Fortunately I was able to reboot the system into "safe mode" and scan the system with a previously installed version of Malwarebytes Anti-Malware (which identified the infected files and removed them from the system...) I then RESCANNED the system using SuperAntiSpyware and a Avira AntiVirus Rescue Disk. Once I was satisfied that I had removed the program (and checked the add/remove programs for recently installed applications) I rebooted the system as normal.

    One thing I will caution is ALWAYS get your anti-virus and anti-malware programs from a trusted site. DO NOT click OK to download a "free program" if you get a popup on the screen when you're surfing the internet - you'll often end up downloading a phony program that can act as a trojan, disable your existing anti-virus/malware programs and infect your system or hijack your browser and search settings. If you do get such a message, close your browser immediately, reboot your system into safe mode and scan your system using a program like Malwarebytes AntiMalware or SuperAntiSpyware.

    • Guy McDowell
      April 9, 2013 at 2:02 pm

      Good advice!

  8. android underground
    April 7, 2013 at 7:51 am

    Why try to clean a dirty system if you can simply replace it with a clean copy? System Restore is unreliable, and you can never be sure that your antivirus apps really clean up all the dirt. There's not a single AV that catches everything, and they're trailing behind the malware by definition.

    If you want to be totally sure you can clean your system you should use drive imaging instead.

    1) Keep windows and your programs on one partition, keep your data on another. If Windows sits on drive C, your data should be somewhere else.
    2) Use drive imaging software to auto-backup your system every night. This way you always have multiple copies of a clean system without lifting a finger. Restore the last clean image whenever your computer smells fishy.

    There are plenty of excellent free drive imaging programs out there. Many of them can automate the process and make incremental backups to go easy on your disk space. You can run all of them from CDs and USB sticks. And they can backup/restore your boot sector, so you can exterminate all rootkits.

    Antivirus programs are like cutting the long threads of the mold out of your rotten sandwich, restoring a drive image is like pulling a fresh loaf from the oven.

    • Guy McDowell
      April 7, 2013 at 7:04 pm

      If you had to put a percentage on it, what percent of users do you think, actually plan ahead like this? I'm guessing 10%.

      I agree with you, but you're preaching to the choir.

      • android underground
        April 11, 2013 at 6:20 pm

        1) Get bitten by ransomware.
        2) Google for solution.
        3). Find MUO post by Guy McDowell that tells you how to remove ransomware and make drive images to be prepared for next time your computer catches fire.

        The percentage may be 10% now, but by writing stories for a site like this you have the opportunity to increase that percentage a little bit. MUO it!

        • Guy McDowell
          April 11, 2013 at 9:00 pm

          Fair enough. Having Windows Restore operating is a start. Hopefully people who need this help will read the comments to see that there are even more thorough and better options to Windows Restore in case of something this damaging.

          We also have quite a few articles covering drive imaging and how to do that for most major OS' on MUO. Might not hurt to bring it up again though.

    • Michael W
      April 9, 2013 at 4:33 pm

      Like Guy I would agree that having a drive image and restoring that would be a better choice for ensuring that you have a fully clean system - but most users are like my brother - they don't do regular backups, don't keep their systems current and often fail to use anti-spyware/malware/virus programs correctly. Although my brother has owned several computers over the years he is lousy when it comes to maintaining the systems. If his anti-virus program doesn't auto-update he would likely never get the latest definitions. Even though he has anti-malware software on his computer he doesn't regularly update the program and even Windows is often not updated although Microsoft makes it really easy to do.

      My other brother is better at maintaining his system, but he still doesn't do regular backups or drive imaging. Most of the free drive imaging programs (like the free version of Macrium Reflect) don't do incremental backups and even then the user needs to have the backup drive connected. I often send him reminders that he needs to backup his systems (as well as his college-age kids who both have laptops) but I'll bet that he probably hasn't made a backup of his systems in several months.

      One thing I do is have two hard drives in my desktop system - I image the primary drive to the second drive and maintain multiple images on it (every few weeks I re-image the system overnight and delete a older image) If I get hit with a virus, malware or have a system issue I can boot from a rescue cd and restore an earlier disk image to the primary drive. I also have a pristine disk image of my Windows installation that I restore periodically and update for the latest Microsoft updates. That way I can eliminate the need to reinstall Windows if I want to go back to scratch. I can quickly restore the operating system and then choose to add the software of my choice afterwards.

  9. trevor mahon
    April 6, 2013 at 4:58 am

    Found your article very interesting am waiting to here your update if wdo removed ransomeware.Thank you.

  10. Keith Swartz
    April 6, 2013 at 12:52 am

    Thank you for the information!

  11. Guy McDowell
    April 5, 2013 at 10:05 pm

    Windows Defender Offline found 4 threats:
    Three of them related to the word Reveton and one related to a Java exploit called CVE-2012-0507. I used WDO to remove those, and am running the scan again - for redundancies sake.

    I'll post later this weekend how it goes.

    • Guy McDowell
      April 6, 2013 at 12:11 pm

      Here's the problem I had. The Kaspersky and Web Dr. Live CD's that I used were a week old. That was old enough that they didn't have the definitions they needed on them.

      Windows Defender Offline did the trick. Now I have to do some manual cleaning to get rid of the remaining bits and pieces.

      • Guy McDowell
        April 9, 2013 at 2:04 pm

        My manual cleaning showed none of the typical remnants. This laptop is clean for the last 4 days or so with no signs of re-infection. Yay me!

  12. Guy McDowell
    April 5, 2013 at 8:42 pm

    Since I wrote this article, I've come across another manifestation of the Police / Ukash ransomeware. This is far more insidious. I ran 2 different live boot cd's and their associated antivirus on it (Kaspersky and Dr. Web). I've booted in on Safe Mode with Command Prompt and rolled back Windows to early in February 2013.

    The ransomware is STILL there.

    Now, I'm trying a boot CD of Windows Defender Offline

    I'm performing a complete scan, and it is still ongoing. I'll report back how it went in about an hour.

    • Charley Rouse
      April 5, 2013 at 9:19 pm

      Guy, I would definitely add the possibility of a Rootkit into the Mix, recommend TDSSKILLER from Kaspersky and/or Anti-Malwarebytes Rootkit scanner, once the Rootkit is gone, Malwarebytes can "Usually" clean-up the rest...

      • Guy McDowell
        April 6, 2013 at 12:10 pm

        Yep, the Kaspersky Live CD comes with the ability to check your boot sector and check for root kits. Nothing there this time...

    • klu9
      April 8, 2013 at 12:59 am

      I got hit by ransomware recently. From my research, I read that System Restore is *NOT* a cure for a virus infection. A couple of reasons:
      1. the moment you realized you were infected is not necessarily the same as when it happened, so you might not rollback far enough.
      2. System Restore files can get infected too. And then you replace existing files with infected SR files.

      See comments here

      • Guy McDowell
        April 9, 2013 at 2:03 pm

        Sometimes it can be a cure, sometimes it can't, for the very reasons that you mentioned.

  13. Dave
    April 5, 2013 at 4:58 pm

    Malwarebytes has worked for me on a couple of pc's owned by friends.

    • Guy McDowell
      April 6, 2013 at 12:09 pm

      Malwarebytes is great and I've used it often in the past. Highly recommend their tools.

      I wanted to try something I haven't tried before, so I gave Windows Defender Offline a shot.

      • null
        April 7, 2013 at 10:28 am

        Superantispyware is another great tool. Hitman pro also has a 30 day version you can use to get rid of ransomware. has links to the tools.

  14. Davie Chilalire
    April 5, 2013 at 4:45 pm

    Thanks for a highly informative article

  15. Zhong J
    April 5, 2013 at 3:21 pm

    Another step of precaution is just pure research and be aware that such scams are occurring. One of the main reasons why people fall for this scam is due to their own decisions of not posting the problem online to let other people identify whether if this is a scam or not.

  16. null
    April 5, 2013 at 1:18 pm

    The closest I've come to ransomware is when I stupidly downloaded and installed a "free" program that quickly found scads of viruses on my computer,and then announced the viruses could only be removed with the paid version of the program.Of course,removing the "free" program was another story,and it took a good deal of effort to get it off my harddrive. The point I am trying to make here is never run suspicious software without researching it,and running it through your virus scanner.On top of that,I take the further precaution of running iffy software sandboxed,just in case. I have been using Sandboxie,a free sandboxing program,for surfing the net and testing downloaded software.If there is a problem,deleting the offending malware is as simple as deleting the sandbox you are running it in - malware cannot write to your harddrive when it is running in a sandbox.

    • Anonymous
      January 8, 2015 at 11:17 am

      sounds like mackeeper

  17. dragonmouth
    April 5, 2013 at 11:45 am

    What about a procedure for the Linux users? What are we, the ugly step children??? :)

    • Keefe Kingston
      April 5, 2013 at 2:40 pm

      I don't think there is any procedure for Linux, because there isn't much malware for either Linux or Macs. Windows is the operating system that is constantly under attack from malware like this. So while it it not impossible for a mac or Linux computer to get infected (because there are viruses and such for them too), I'd say it's very unlikely. Malware like this one would have to be specifically programed for Linux, since it not only follows a different programming language, but also a different OS environment all together. So I'd be happy there is no procedure for Linux, as that would mean that you don't need to worry about your computer being held hostage!

    • Guy McDowell
      April 5, 2013 at 3:51 pm

      I don't know. I haven't seen you.

      Fact is that most of my work is on Windows machines, and I haven't come across this ransomware on a Linux machine...yet.

      • Kannon Yamada
        April 6, 2013 at 12:15 am

        I strongly doubt it even exists. There's actually a company listed on the NASDAQ that specializes in ransomware... AS IN DELIVERING IT. They target exclusively Windows, probably because there's no money in going after the most technically savvy of users out there.

        The average Linux user also wouldn't fall for that kind of scam. Of course DM was joking, but I wanted to make that point clear.

        If you name the scam and mention the company, boom, you get sued. They claim to offer an anti-virus suite, but you could install their software on fresh install of Windows and it will tell you you've got a virus. It's partly right because it's basically a virus.