Follow:

Microsoft Volume Licensing Blogtwitter

Ransomware

What is ransomware?

Ransomware is a type of malware that stops you from using your PC until you pay a certain amount of money (the ransom).

It is often called "FBI Moneypak" or the "FBI virus" as it often uses the FBI or local police logos and asks you to pay using Green Dot MoneyPak.

There are two types of ransomware.

Lock screen ransomware - which uses a full-screen image or webpage to stop you from accessing anything on your PC.

Encryption ransomware - which locks your files with a password, stopping you from opening them.

Most ransomware shows a notification that says your local authorities have detected illegal activity on your PC. They then demand you pay a "fine" to avoid prosecution and to get access to your files again.

Note: Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will return your PC to a usable state. The threat of prosecution does not come from a legitimate authority.

There is more information about removing a ransomware infection below.

Examples of ransomware
Trojan:Win32/Sofilblock.A
Trojan:Win32/Trasbind.A
Trojan:Win32/Reveton.C

Frequently asked questions

Expand all

No. These warnings are fake and have no association with legitimate authorities. The operators of ransomware use the tone, images and logos of legal institutions to give their scam an air of legitimacy.

We don’t recommend you pay the fine. There is no guarantee that handing over the ransom will give you access to your files again. Paying the fine could also make you a target for more malware.

You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

The following government-initiated fraud and scam reporting websites may also help:

If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.

For general information on what to do if you have paid, see:

There are publicly available tools online that can check a computer's IP address. Getting IP addresses is a common behavior for malware - in the case of ransomware, it’s used as another scare tactic.

Ransomware, like other malware, can arrive in a variety of ways. However, in most instances it is automatically downloaded when you visit a malicious website or a website that's been hacked.

Ransomware have different behaviors and have to be removed in different ways. There is more help on removing an infection below.

How do I protect myself against ransomware?

Despite its threatening nature, ransomware is still a type of malware. We recommend the same tips to help keep any malware out of your PC:

Some ransomware may leave your PC or files in an unusable state. We recommend you regularly backup your important files. You can do this with a cloud storage service such as Skydrive, which is now fully integrated into Windows 8 and Microsoft Office.

How do I remove a ransomware infection from my PC?

The following two methods might help you remove a ransomware infection from your PC.

  • Method 2: Use Windows Defender Offline

    If you’ve tried the Microsoft Safety Scanner and uninstalling then reinstalling your antimalware software and you’re still having an issue, we recommend you download and run Windows Defender Offline.

    Windows Defender Offline is a standalone tool with the latest antimalware updates from Microsoft.

    It’s not a replacement for a full antivirus or antimalware solution that provides ongoing protection. It’s meant to be used when you can’t start or scan your PC because a malware infection is stopping your security software from working.

    Before you begin you will need:

    • A PC that is not infected and is connected to the Internet. You will use this PC to download a copy of Windows Defender Offline.

    • A blank CD, DVD or USB flash drive - use this to run the tool on your infected PC.

    Follow these steps to use Windows Defender Offline:

    1. Use an uninfected PC to download a copy of the tool from here: Windows Defender Offline

      Make sure you download the right version for your PC. For example, your desktop PC has been infected with malware. It is running a 64-bit version of Windows. Your friend's laptop, however, is not infected, and so you use that to download Windows Defender Offline. Your friend's laptop is running a 32-bit version of Windows, so when you download the tool you choose the 64-bit version because that is the version that matches your desktop PC.

    2. Install the tool on a blank CD, DVD, or USB flash drive.

    3. Insert the CD, DVD, or USB flash drive into your infected PC and run the tool.

    4. Let the tool clean your PC and remove any infections it finds.

After running the tool, make sure your antimalware software is up-to-date. You can update Microsoft security software by downloading the latest definitions.

For detailed instructions on using Windows Defender Offline, see the Microsoft Security Blog post Microsoft's Free Security Tools - Windows Defender Offline.

Steps you can take once your PC has been cleaned

  • If you’re running Windows 8, your PC comes with Windows Defender built in. Windows Defender helps guard your PC against viruses, spyware, and other malicious software in real time.

  • If you’re running Windows 7 or Windows Vista, install security software, such as Microsoft Security Essentials or other security software that provides a complete, real-time antimalware solution.

  • Keep your antimalware software up-to-date by making sure you have the latest definitions