Skip to main content

Ransomware infection means that your data has been encrypted or your operating system is being blocked by cybercriminals. These criminals usually demand a ransom in return for decrypting the data. Ransomware can find its way onto a device in many different ways. The most common routes include infections from malicious websites, unwanted add-ons in downloads and spam. Targets of ransomware attacks include both individuals and companies. Various measures can be taken to protect against ransomware attacks, with a watchful eye and the right software being important steps in the right direction. A ransomware attack means either the loss of data, spending large sums of money, or both.

Detecting ransomware

How do you know if your computer is infected? Here are some ways to detect a ransomware attack:

  • Anti-virus scanner sounds an alarm – if the device has a virus scanner, it can detect ransomware infection early, unless it has been bypassed.
  • Check file extension – for example, the normal extension of an image file is ".jpg". If this extension has changed to an unfamiliar combination of letters, there may be a ransomware infection.
  • Name change – do files have different names than those you gave them? The malicious program often changes the file name when it encrypts data. This could therefore be a clue.
  • Increased CPU and disk activity – increased disk or main processor activity may indicate that ransomware is working in the background.
  • Dubious network communication – software interacting with the cybercriminal or with the attacker's server may result in suspicious network communication.
  • Encrypted files – a late sign of ransomware activity is that files can’t be opened.

Finally, a window containing a ransom demand confirms that there is a ransomware infection. The earlier the threat is detected, the easier it is to combat the malware. Early detection of an encryption Trojan infection can help to determine what type of ransomware has infected the end device. Many extortion Trojans delete themselves once the encryption has been executed so that they cannot be examined and decrypted.

A ransomware infection has occurred – what are your options?

Ransomware is generally divided into two types: locker ransomware and crypto ransomware. A locker ransomware virus locks the entire screen, while crypto ransomware encrypts individual files. Regardless of the type of crypto Trojan, victims usually have three options:

  1. They can pay the ransom and hope the cybercriminals keep their word and decrypt the data.
  2. They can try to remove the malware using available tools.
  3. They can reset the computer to factory settings.

Removing encryption Trojans and decrypting data – how it's done

Both the type of ransomware and the stage at which ransomware infection is detected have a significant impact on the fight against the virus. Removing the malware and restoring the files is not possible with every ransomware variant. Here are three ways to fight an infection.

Detecting ransomware – the sooner the better!

If the ransomware is detected before a ransom is demanded, you have the advantage of being able to delete the malware. The data that has been encrypted up to this point remains encrypted, but the ransomware virus can be stopped. Early detection means that the malware can be prevented from spreading to other devices and files.

If you back up your data externally or in cloud storage, you will be able to recover your encrypted data. But what can you do if you don't have a backup of your data? We recommend that you have a reliable Internet security solution in place. There may already be a decryption tool for the ransomware you have fallen victim to. You can also visit the website of the No More Ransom project. This industry-wide initiative was launched to help all victims of ransomware.

Learn more about Kaspersky PremiumInstructions for removing file encryption ransomware

If you have been the victim of a file encryption ransomware attack, you can follow these steps to remove the encryption Trojan.

Step 1: Disconnect from the internet

First, remove all connections, both virtual and physical. These include wireless and wired devices, external hard drives, any storage media and cloud accounts. This can prevent the spread of ransomware within the network. If you suspect that other areas have been affected, carry out the following backup steps for these areas as well.

Step 2: Conduct an investigation with your internet security software

Perform a virus scan using the internet security software you have installed. This helps you identify the threats. If dangerous files are found, you can either delete or quarantine them. You can delete malicious files manually or automatically using the antivirus software. Manual removal of the malware is only recommended for computer-savvy users.

Step 3: Use a ransomware decryption tool

If your computer is infected with ransomware that encrypts your data, you will need an appropriate decryption tool to regain access. At Kaspersky, we are constantly investigating the latest types of ransomware so that we can provide the appropriate decryption tools to counter these attacks.

Step 4: Restore your backup

If you have backed up your data externally or in cloud storage, create a backup of your data that has not yet been encrypted by ransomware. If you don't have any backups, cleaning and restoring your computer is a lot more difficult. To avoid this situation, it is recommended that you regularly create backups. If you tend to forget about such things, use automatic cloud backup services or set alerts in your calendar to remind you.

How to remove screen-locking ransomware

In the case of screen-locking ransomware, the victim is first faced with the challenge of actually getting to the security software. By starting the computer in Safe Mode, there is a possibility that the screen-locking action will not load and the victim can use their antivirus program to combat the malware.

Paying the ransom – yes or no?

Paying the ransom isgenerally not recommended. As with a policy of non-negotiation in a real-life hostage situation, a similar approach should be followed when data is taken hostage. Paying the ransom is not recommended because there is no guarantee that the extortioners will actually fulfill their promise and decrypt the data. In addition, payment could encourage this type of crime to flourish. .

If you do plan to pay the ransom, you should not remove the ransomware from your computer. In fact, depending on the type of ransomware or the cybercriminal's plan with respect to decryption, the ransomware may be the only way to apply a decryption code. Premature removal of the software would render the decryption code – bought at great cost – unusable. But if you have actually received a decryption code and it works, you should remove the ransomware from the device immediately after the data has been decrypted.

Types of ransomware: What are the differences in terms of how to proceed?

There are many different types of ransomware, some of which can be uninstalled in just a few clicks. In contrast, however, there are also widespread variants of the virus that are considerably more complex and time-consuming to remove.

Different options for removing and decrypting the infected files exist, depending on the type of ransomware. There is no universally applicable decryption tool that works for all the many different ransomware variants.

The following questions are important when it comes to the proper removal of ransomware:

  • What type of virus has infected the device?
  • Is there a suitable decryption program and if so, which one?
  • How did the virus find its way into the system?

Ryuk may have entered the system via Emotet, for example, which implies a difference in the way the problem is dealt with. If it is a Petya infection, Safe Mode is a good way to remove it. More about the different ransomware variants can be found here.


Even with the best security precautions, a ransomware attack can never be ruled out with complete certainty. If the worst comes to the worst, excellent Internet security software, such as that from Kaspersky, good preparation and careful action can help to mitigate the consequences of an attack. By keeping in mind the warning signs of a ransomware attack, you can detect and fight an infection early on. However, even if a ransom has been demanded, you have various options and can choose the right one depending on your specific situation. Remember that backing up your data regularly will greatly reduce the impact of an attack.

Kaspersky Internet Security received two AV-TEST awards for the best performance & protection for an internet security product in 2021. In all tests Kaspersky Internet Security showed outstanding performance and protection against cyberthreats.

Related Articles:

Removing ransomware | Decrypting data – how to kill the virus

Detecting encryption Trojans, removing ransomware from your computer, and decrypting your data. Here's how to do it.
Kaspersky Logo