What to Do When Ransomware Hits Your PC
Discovering ransomware on your computer is alarming — but paying the ransom is rarely the right answer. Many victims who pay never receive decryption keys, and it funds further criminal activity. This guide walks you through how to remove ransomware safely and maximize your chances of recovering your files.
Step 1: Disconnect Immediately
The moment you suspect ransomware, disconnect your device from the internet and any local network. This prevents the malware from:
- Encrypting additional files on shared network drives
- Communicating with attacker command-and-control servers
- Spreading to other devices on your home or office network
Unplug your Ethernet cable and turn off Wi-Fi immediately. Do not shut down your computer yet — some forensic tools work better while the system is running.
Step 2: Identify the Ransomware Strain
Knowing exactly which ransomware you're dealing with is crucial because free decryption tools exist for many known strains. Use these resources to identify it:
- ID Ransomware (id-ransomware.malwarehunterteam.com) — upload the ransom note or an encrypted file sample
- No More Ransom (nomoreransom.org) — a joint initiative by law enforcement and security companies with free decryptors
- Check the file extension your files were renamed to (e.g., .locky, .ryuk, .conti)
Step 3: Boot Into Safe Mode with Networking
Booting into Safe Mode prevents most ransomware from running actively while you clean the system:
- Restart your PC and press F8 (or hold Shift while clicking Restart on Windows 10/11)
- Select Troubleshoot > Advanced Options > Startup Settings
- Press F5 to enable Safe Mode with Networking
Step 4: Run a Trusted Malware Scanner
With your PC in Safe Mode, download and run a reputable offline malware scanner. Look for tools that offer a dedicated ransomware removal module. Run a full system scan — not a quick scan — and quarantine or delete everything flagged.
Important: Do not trust pop-up "scanners" that appeared after the infection. Only use tools you download from known, reputable vendors.
Step 5: Check for Decryptors Before Restoring
Before wiping your drive or restoring from backup, check No More Ransom for a free decryption tool matching your ransomware strain. If one is available, follow their official instructions carefully. Never use unofficial decryptors found on random forums — they are frequently malware themselves.
Step 6: Restore from Backup
If no decryptor is available, your safest recovery path is restoring from a clean backup:
- Use Windows' built-in System Restore or File History if they weren't disabled by the ransomware
- Restore from an external drive backup made before the infection
- Check if cloud storage (OneDrive, Google Drive) retained unencrypted versions via version history
Step 7: Prevent Future Infections
After cleaning your system, take these steps to prevent a repeat attack:
- Enable Windows Defender or install reputable third-party antivirus
- Keep Windows and all software fully updated
- Maintain regular offline backups on a drive that stays disconnected
- Never open email attachments from unknown senders
- Enable Controlled Folder Access in Windows Security settings
Final Thoughts
Ransomware is one of the most disruptive types of malware, but a calm, methodical approach gives you the best chance of recovery without paying criminals. The key lessons: disconnect fast, identify the strain, and always maintain offline backups so you're never held hostage.