Ransomware is malware that stops you from using your PC - it holds your PC or files for ransom.
Some versions of ransomware are called "FBI Moneypak" or the "FBI virus" because they use the FBI's logos.
In many cases, a message appears that says illegal activity has been detected on your PC. The message demands you perform some action to get access to your files again.
The message might tell you that you have to pay money, complete surveys, or perform other actions to unlock and use your PC.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
The threat of prosecution is not real, and using antivirus software such as Windows Defender Offline can remove the messages and give you access again.
No. These warnings are fake and have no association with legitimate authorities. The operators of ransomware use the tone, images and logos of legal institutions to give their scam an air of legitimacy.
We don’t recommend you pay. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.
How to recover your files depends on where your files are stored and what version of Windows you are using.
Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.
OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features.
To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.
OneDrive for Business customers should see the Manage document versions help article on the Office help site.
You need to have turned on File History (in Windows 8.1) or System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. In some cases, these might have been turned on already by your PC manufacturer or network administrator.
See the Windows Repair and recovery site for help on how to enable file recovery for your version of Windows.
If you've been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tool mentioned in the MMPC blog:
FireEye and Fox-IT tool can help recover Crilock-encrypted files
You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:
In Australia, go to the SCAMwatch website
In Canada, go to the Canadian Anti-Fraud Centre
In France, go to the Agence nationale de la sécurité des systèmes d'information website
In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website
In Ireland, go to the An Garda Síochána website
In New Zealand, go to the Consumer Affairs Scams website
In the United Kingdom, go to the Action Fraud website
In the United States, go to the On Guard Online website
If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.
For general information on what to do if you have paid, see:
What to do if you are a victim of fraud
There are publicly available tools online that can check a computer's IP address. Getting IP addresses is a common behavior for malware - in the case of ransomware, it’s used as another scare tactic.
Ransomware, like other malware, can arrive in a variety of ways. However, in most instances it is automatically downloaded when you visit a malicious website or a website that's been hacked.
Despite its threatening nature, ransomware is still a type of malware. We recommend the same tips to help keep any malware out of your PC:
Install and use an up-to-date antivirus solution (such as Microsoft Security Essentials)
Make sure your software is up-to-date (here's a short list of common software)
Don't click on links or open attachments from untrusted sources
Some ransomware may leave your PC or files in an unusable state. We recommend you regularly backup your important files. You can do this with a cloud storage service such as OneDrive, which is now fully integrated into Windows 8.1 and Microsoft Office.
Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.
If you've already paid, see the question "What should I do if I've paid the scammers?" above.
The following might help you remove a ransomware infection from your PC.
Method 1: Use the Microsoft Safety Scanner in safe mode
First, download a copy of the Microsoft Safety Scanner from a clean, non-infected computer. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected computer.
Try to restart your computer in safe mode:
In Windows 8.1
In Windows 7
In Windows Vista
In Windows XP
When you're in safe mode, try to run the Microsoft Safety Scanner.
If this removes the ransomware, there are a few steps you should take once your PC has been cleaned.
Method 2: Use Windows Defender Offline
Because ransomware can lock you out of your PC, you might not be able to download or run the Microsoft Safety Scanner. If that happens, you will need to use the free tool Windows Defender Offline:
Download Windows Defender Offline
The following articles may help if you're having trouble getting the tool to work:
Windows Defender Offline: frequently asked questions
Microsoft's Free Security Tools - Windows Defender Offline
After you've used Windows Defender Offline, you should update your security software and run a full scan:
Get the latest updates
Steps you can take once your PC has been cleaned
Make sure your PC is protected with antimalware software.
Microsoft has free security software that you can use:
If you have Windows 8.1, your PC comes with antimalware software: Windows Defender.
If you’re using Windows 7 or Windows Vista, you should install antimalware software, such as Microsoft Security Essentials.
You can update Microsoft security software on our updates page.
If you don't want to use Windows Defender or Microsoft Security Essentials, you can download other security software from another company. Just make sure it is turned on all the time, fully updated, and provides real-time protection.
I want to...
Remove difficult malware
Avoid tech support phone scams
See and search the latest threats
Find answers to other problems
Fix update problems
See common error codes
Answer common questions
Find the right security software
Download security software
Send us a malware file
Software developer dispute
Note: Your feedback is very important to us, however, we do not respond to individual submissions through this channel. If you require support, please visit the Safety & Security Center.