How to Remove Ransomware Virus from Windows PC 10,8,7 and Android Mobile

Is your PC infected with Ransomware virus? Here we open some tricks to remove ransomware virus from PC. Ransomware virus forces you to pay some amount to access your own system. Protection is always better than cure. So, here we listed some tricks and tool to get rid of ransomware attacks.

What is Ransomware?

How to Remove Ransomware Virus

Ransomware virus on windows PC creates a lock between you and your system. As the name suggests “Ransom” is the process of holding an item to get money before releasing hold things.  It holds your files and demand for some money. It is part of cyber-attack to get rid of it, learn how cybercriminal plans cyber-attacks. This post based on ransomware virus removal tool. So, read carefully and remove the ransomware virus from windows system.

For details check What is ransomware?

How did it get on your system?

The attacker never attacks you till you care your system. Once you failed attacker start their activity.

Most likely ransomware virus infected when you accessed a site containing hidden malicious scripts. It can be hidden under the following media:

  • A browser add-on and plug-in.
  • Unsecured software shared on peer to peer network.
  • A codec required to view a movie or a certain video clip.
  • Pirate Torrent files.
  • A free antivirus service.
  • Free online scanning service.

Following are some source of ransomware virus.

  • Surfing untrusted website.
  • Email attachment.
  • Executable file like( .exe, .ade, .adp,.jar,.com,.cmd )
  • Scripting file like (.bat, .js, .vbs, .sc, .ins,.vb, vbs, .wsc, .wsf )
  • Macros (.doc, .xls, xlsx, .ppt)
  • Installing pirated software or pirated movies.
  • Outdated software programs.
  • Modded games.
  • Nulled themes.
  • Infected computer network.

Even you are infected, it is not easy to identify it. But after restarting, you will get a notice that your system is infected and pay a “ransom” to get rid of ransomware virus.

Whom does it affect?

You! Are you using any smartphone, laptop or PC? Are you using the internet for surfing or emailing or any online shopping? If yes, then you are a likely ransomware victim. It restricts you to access your mobile device or PC and encrypt your file unless you pay decryption fee.

Ransomware targets old computer. If your system is not up to date, then highly potential to ransomware attacks. Microsoft released a new security patch for Windows Vista and later version (MS17010). So, first install MS17010 on your Windows System. If you are still working on Windows XP, install the latest patch from Microsoft.

Reports indicate that ransomware spread through e-mails that include the malware attachment. It is also possible that malware entered a computer network via infected hosts or vulnerable machine.

Even you pay ransom there is no guarantee that you will get decryption code. So, we always prepare prevention than cure.

How to detect Ransomware attacks?

ransomware attack

Attackers developed Ransomware to gain money. It will target your picture, data files, and valuable documents. Once attackers gain your system control you will get following messages.

  • Locked browser.
  • Locked screen.
  • Ransomware note.
  • Encrypted files.
  • Renamed files.

However, it is very difficult to detect Ransomware virus, because Ransomware changes its signature per victim. So, it is very difficult to remove ransomware virus in the initial stage.

Types of Ransomware Virus?

Ransomware is many types. However, two major types of Ransomware. But, both of them developed to get money from the user. They will create a wall between you and your system and ask you to pay money using a credit card or bitcoin.
It affected more than 150 countries including a home computer, enterprises and IT professionals, healthcare provider or a government agency.
They can target PC user, online user, and mobile user. In our previous post, we explore how to remove winsnare malware from PC and How to remove shortcut virus from Pen drive. But, Ransomware is a more dangerous virus than malware or Trojan.

Effect of Ransomware attack:

  • Stop certain apps (online banking or browser).
  • Prevent you to get accessing Windows.
  • Encrypt your data files so you can’t use them.

Following types of Ransomware Virus.

Lockscreen ransomware –  It will create a lock between you and windows system. It shows a full-screen message that your files are locked and pay money to get access to your PC. It affected mostly for the home user.

Encrypted Ransomware

Encryption ransomware – It encrypts your files and asks to pay money to decrypt your valuable files. It is one of the online money making tricks for hackers.

First ransomware came in 1989 and a pop-up message that you have done something illegal activity.  So, you are being penalized by a police or government. It is a good plan tactic designed to get money from you. It asks to pay the money without telling anyone.

Once your windows 10 is affected by ransomware, attackers demanded to pay £350 ($500) in Bitcoins within 48 hours. If you fail to pay then, the price will rise. So, to avoid blackmailing protect your computer from ransomware virus.

How ransomware start attacks?

The ransomware worm enters your system through phishing or exposing SMB through the internet. Once the attacker gets remote access, it starts executing remote code. Latest ransomware is a combination of “standard” ransomware and remote code execution ransomware. Thus it is very effective attack create a huge impact on a global level.

Ransomware is also called as WCRY or WannaCrypt. It tries to connect the following domain name.

Ransomware Domain

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com – Found on 13th May 2017.
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com –Found on 15th May 2017.

It creates a connection between your system and above domain. Once it gets a successful connection, it drops malicious code in your system and it called as a dropper. The dropper stops its execution just after connection established between you and attackers domain. If the connection failed, then it again tries to drop the ransomware and create new service on your system.

Dropper doesn’t open any destination address and, thus it is not a proxy-aware. So, to detect ransomware virus attacks a local DNS lookup may be required. If you have local DNS lookup system then using TCP 80 you can block ransomware domain.

Converting to WNCRY extension | Ransomware Encryption.

The Ransomware creates a new service “mssecsvc2.0”.  The function of the thread is to exploit the SMB vulnerability and access computer network connected to the infected computer.

After residing on your system, WCRY virus encrypts all data and rename it. The symptoms of WannaCrypt encryption is it convert all files into .WNCRY file by appending WNCRY at the end. So, your jpg image is converted into .jpg.WNCRY.

Ransomware Encrypted file

It also creates text message file into all the folder. So, you will get @Please_Read_Me@.txt in all folder. But, it is an encrypted file so you can’t read contain the file. It contains ransom message, demanding “ransom” from you.

It also works on following extension and services.

Ransomware extension services

Deleting Volume Shadow Copy Service

After completing the ransomware encryption, the WNCRY deletes the Volume Shadow Copy Service using the following command:

Deleting Volume Shadow Copy Service using CMD

Once delete backup service, it shows below message on your desktop screen.

Ransomware message

The attackers also show the decryption ability by decrypting few files, free of charge.  Once you believe in his ability, attacker demanding pay the ransom to restore the remaining files.

ransomware attack

Spreading in Local network

The worm is reflected itself. So, once he gets computer network it starts reflecting other Windows system. It starts continuous port scanning and IP scanning to find another victim. Due to continuous scanning, it generates a large amount of SMB traffic in a computer network. Using port scanning software like Wireshark you can easily identify it.

When system completely under control of the attacker, it starts to run kernel-level code from public backdoor known as DOUBLEPULSAR.

How to prevent from a ransomware attack?

Even after lots of prevention, your system may infect by ransomware attack. So, before going to remove ransomware virus phase detection is important.

Compared to 1989, today the condition has improved a bit. Lots of antiviruses came into the market. So, using antivirus program you can block ransomware attacks. Day to day backup is essential to keep your data safe. If you have data backup then ransomware can not charge “ransom” from you.

Even all this facility, most people can’t take proper care. Thus ransomware explores your vulnerability. So, you one of them and your Windows system is infected by ransomware then read below guide and remove ransomware virus from Windows computer.

Simple tricks to prevent Ransomware Virus Attack

  • Keep your Operating System up to date.
  • Install license windows 10 and update windows patch.
  • Install antivirus like Avast Pro from here.
  • Backup your important files in an external hard-drive or Google drive.
  • Enable windows firewall.
  • Clear browser cache.
  • Never open phishing link from emails.
  • Delete spams email.
  • Never open email attachment from untrusted source.
  • Use licensed copy Microsoft office. Never go for pirated version.
  • Disable your Remote Desktop.
  • Never shared a folder with full permission.
  • Use two-factor authentication.
  • Create a strong password for internet connection.
  • Try to avoid open Wi-Fi and keep your hotspot secure.
  • Avoid illegal download sites and porn sites, etc.

Advanced Tricks to Prevent Ransomware Virus Infection

  • Update your operating system security patch to MS17010.
  • Verify your software with correct patch.
  • Make sure “kill switch” is reachable without proxy. If not, then set up internal DNS lookup server.
  • Make sure the “kill switch” domain and website are reachable from your network without proxy. If not, setup an internal DNS sinkhole and redirect to an internal website. Do not block access to the website.
  • Disable SMBv1 (typically TCP port 445).
  • Check your registry keys.
  • Update your antivirus and keep up to date.
  • Implement network segmentation and dived into trusted and untrusted segment.

3 Important Fact Helps You to Remove Ransomware Virus

Port 445

Research indicate that nowadays scanning of port 445 increases significantly. Ransomware uses SMB port 445 to enter into your system. port 445 is deeply embedded in Microsoft Windows system and difficult to safely close.

Killswitch

In a corporate network, internal DNS system with Killswitch and internal sinkhole as migration prevent sinkhole server sends a reply. The reply can be “Not found” or “404”. Even single characters reply also fine. But, sometimes just creating a connection without sending anything, will result in malware activation.

Encryption type

Ransomware creates a 2048 bit RSA encryption pair. The private cipher key is encrypted using a public encryption key. New Random Advanced Encryption Standard (AES) key is generated per file and encrypted using public user key. So, decrypt the files author’s private key is required. When your files are encrypted, it appends .wncry extension.

With the help of backdoor, attacker compromise the system further. It also installs Tor to communicate between your system and the ransomware author.

How to remove ransomware Virus from Windows PC?

Using File restore Setting

Ransomware encrypts or corrupted your valuable files like excel or document file. So, file restore is one of the best option to recover your file. Here, you will get how to repair corrupted excel file.
Read- Data recovery tool to recover data from encrypted iPhone backup.

How to restore files or folders in Windows 8 and Windows 10:

  • Click on the left corner of the search button and search “restore your files”.
  • Once you enter, you will get Restore files with History option.
  • Enter the name of your file and hit enter.
  • The system will restore your file to the previous location. If you want to change file location then simply select Restore to and select a new location.

Using above method you can recover infected ransomware virus from Windows 10 and Windows 8.1.

How to restore files or folders in Windows 7 and Windows Vista:

  • Right-click on corrupted the file or folder, and then click Restore previous versions.
  • You’ll get a list of available previous versions. It depends upon your backup and restores point. If your system protection is off, then there are no previous version.
  • Select desired version based on the date of modification.
  • Simply click on Restore button to restore the previous version. Note: you can’t open or copy the backup file. Once you replace change can’t undo.

Use above method and remove ransomware virus from Windows 7 and vista computer.

How to restore files or folders in Windows XP:

Officially Windows XP ended on April 8, 2014. Microsoft officially closed security updates and technical support for the Windows XP. For more details check Support for Windows XP ended.

Still, you are using Windows XP? Yes! Then you are inviting hackers to explore your system.

So, Windows XP user updates your Windows XP to Windows 10. Read the step by step guide how to convert windows XP into Windows 10.

Wanncry ransomware decryption key.

As we know, Ransomware creates a 2048 bit RSA encryption and the private key is encrypted by the public key. Each file has new random AES key and AES encrypted by a public user key. So, to decrypt your encrypted ransomware infected files you need Author’s private key.

Remove Ransomware Virus Ransomware Decryption Key.

The ransomware decryption key is “WNcry@2ol7”. It is the key used to decrypt ransomware infected files. But, it works on some of its components.

 Decrypt ransomware – Password – “WNcry@2ol7”

Ransomware Removal tool – Bitdefender

If your machine infected by ransomware, then Bitdefender is one of the options. It is ransomware removal tool have two option to remove ransomware virus from windows PC.

  • Use Safe Mode with Networking.
  • Safe Mode with Command Prompt.

Let’s go and check how to remove ransomware virus using Bitdefender.

Safe mode with networking

If your Windows PC infected by ransomware virus, then go to blow procedure.

  1. Restart your computer.
  2. Press F8 key and select “safe mode with networking”.
  3. Open your browser.
  4. The Past below link and download Bitdefender tool:

//download.bitdefender.com/removal_tools/BDRemoval_Trojan_Ransom_IcePol.exe

  1. Save Exe file and install it.
  2. Once open, start scanning.
  3. After completion of scanning, Bitdefender will show you complete scanning report. How many ransomware are found and removed?
  4. Close Bitdefender and restart your PC.
  5. Now start your PC in normal mode.

So, using this process you can remove ransomware virus from your Windows PC. Once ransomware removes you will get full control of your system.

Safe Mode with Command Prompt

If ransomware stop your networking option or you don’t have an internet connection, then safe mode with command prompt will help you to remove ransomware virus. Check complete below procedure.

  • Download Bitdefender tool on another computer.
  • Transfer it to a pen drive or any other media.
  • Past Exe files it to your PC.
  • Restart your computer and select “safe mode with command prompt”.
  • In this mode, you will get only command prompt (Black screen).
  • In Command Prompt, enter explorer.exe just after C:\Windows\system32>
  • Browse the location and run Bitdefender.exe
  • Once open, start scanning.
  • So Bitdefender will remove ransomware virus and gives you complete statistics.
  • Finished, restart and login as normal.

Source: https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/

Source: https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Conclusion –

Ransomware is one of the dangerous computer Virus. It is not easy to remove it. But, If you take proper care then you can easily prevent it to infect your windows system. Up to date antivirus and updating windows security patch will stop your system to infected by ransomware.

Here, we listed 3 facts about dangerous ransomware attack. We also explore ransomware removal tool and ransomware decryption key.

So, install updated OS and proper antivirus will help you to remove Ransomware Virus. If you got any update please comment below.

Leave a Comment