Recovering from Screen-Locking Ransomware

Screen-locking ransomware holds your computer hostage by blocking your access to the operating system. When you turn the computer on all you can see is a ransom note or a message claiming to be from an official source such as the FBI. The note will ask for payment in order for you to be able to use your computer again. 

There is a good chance that this infection happened when you visited a malicious website, clicked a malicious link or opened an infected attachment. 

We want to better understand the impact of you experiencing this issue, can you share your experience by filling in this online form? This will help us better protect future victims.

Screen-locking ransomware - Do this first!

Before we start trying to remove the ransomware and give you back access to your files it is important to do the following:

  1. Disconnect your device from all other devices and the internet to stop the infection spreading any further. Unplug all other devices such as external hard drives and USBs. Disconnect from the wireless or wired internet connection.

  2. Use a camera or a smartphone to take a picture of the ransom note. This will make sure you have a copy should you have any issues further down the line and help reporting the crime to law enforcement.

Am I going to get my data back? 

Screen-locking ransomware is one of the least effective forms of ransomware. It is common that victims can remove the infection and recover their files. The cyber criminals are trying to scare you into paying the ransom and hoping they come across people who do not know how to get back to normal without paying the ransom. 

By following the steps below you have a good chance of getting your computer and data back. 

If the threat is to publish your data online then you may also find our Outing guide useful.

Should I Pay the Ransom? 

Our advice is not to pay the ransom, but this is a tricky area. Paying the ransom funds the criminals and perpetuates ransomware as a form of cyber attack. There is also no guarantee that you will receive the information you need to decrypt your files (if the files have actually been encrypted, which doesn’t always happen with screen-locking ransomware) and once a criminal knows you are good for money you become a future target. 

As there is a good chance of getting back to normal with screen-locking ransomware, it is best to focus on following the steps below before you consider payment. For more information on paying a ransom see our advice here

Approaches to removing Screen-Locking Ransomware

Depending on the type of ransomware you have there are a number of different ways to try and get your files decrypted. Follow the steps below and stop once you have recovered your files. If you don’t feel confident performing the steps below, get help from someone with more IT experience.

Note that removing the ransomware will not decrypt the files and once you remove the ransomware you may remove the ability to pay the ransom and recover your files. Only remove the ransomware if you are confident you can get your files back or you are determined not to pay the ransom.

  1. Restart your computer in Safe Mode and remove the virus with an anti-virus solution - Safe Mode only allows trusted software and processes to run on the computer. This means that malware will not be able to operate. Once in safe mode you can download an antivirus tool (or use if you already one) to remove the malware.

  2. Try the System Restore feature - many Windows computers will allow you to use the System Restore feature to return to the last known good state. The Microsoft guide on System Restore can be found here. If you can't reach the recovery screens but you have the installation disk or USB stick for that version of Windows, reboot from that and select Repair Your Computer instead of installing the operating system.

If you are not able to remove the infection with these steps, try some of the additional steps here

Report the Crime

If you are in the USA you can report ransomware to the FBI through their IC3 reporting portal here or to CISA here. You only need to notify one authority, and they will notify others.

How Do I Avoid being infected with screen-locking ransomware again?

  1. Back-Up – having a back-up copy of your files is the best way to beat ransomware. Get an external hard drive and do a regular back-up of your device. Make sure you disconnect the external drive after use to make sure it doesn’t get infected too. It is also worth using a cloud service that automatically backs-up your files.

  2. Use a good antivirus solution – this will stop the majority of old versions of ransomware and give you an option to remove quickly if new ransomware gets through.

  3. Do your updates ASAP – when software updates are available do them as quickly as possible. If possible turn on automatic updates. The majority of these updates include security fixes that may stop or limit ransomware.

  4. Trust no one – be extremely careful about clicking links or opening attachments in your email or any other messaging platform. Legitimate email accounts can be hacked and used to send malicious messages and emails can be designed to look exactly like they are from your bank, shop, account etc. Get Safe Online has a good overview of email security here.

Donate

To help people like you we rely 100% on donations from people like you.

Without donations we cannot keep our service free and provide help to the most vulnerable victims of cyber crime when they need it most. As a not-for-profit organization, 100% of your donation goes towards keeping The Cyber Helpline up and running - so 100% goes towards helping people like you. Donate now and help us support victims of cyber crime. 

To help people like you we rely 100% on donations from people like you.