Follow:

Microsoft Volume Licensing Blogtwitter

Ransomware

What is ransomware?

Ransomware is malware that stops you from using your PC - it holds your PC or files for ransom.

Some versions of ransomware are called "FBI Moneypak" or the "FBI virus" because they use the FBI's logos.

In many cases, a message appears that says illegal activity has been detected on your PC. The message demands you perform some action to get access to your files again.

The message might tell you that you have to pay money, complete surveys, or perform other actions to unlock and use your PC.

There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.

The threat of prosecution is not real, and using antivirus software such as Windows Defender Offline can remove the messages and give you access again.

Frequently asked questions

Expand all

No. These warnings are fake and have no association with legitimate authorities. The operators of ransomware use the tone, images and logos of legal institutions to give their scam an air of legitimacy.

We don’t recommend you pay. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.

In some cases, you can recover or restore previous versions of your files. However, the following conditions must be in place:

  • System Restore Point must have been turned on before you were infected with the malware.

  • You must already have detected and removed the malware, and there can be no traces of it on your PC. You can use Windows Defender Offline to fully clean your PC.

  • Your files must be on the same PC you're using to recover them (they can't be on a network or removable drive).

If you've been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tool mentioned in the MMPC blog:

OneDrive for Windows 8.1 also has a means of restoring previous versions of Microsoft documents. Similar to System Restore Point, you can look at the version history and recover files:

  1. Right-click on a document and click Version history.

    Right-click on a document to see a menu which has the option "Version history"
  2. You can then look at previous versions of the document, so you can go back to a version that hasn't been encrypted or changed by malware.

You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

The following government-initiated fraud and scam reporting websites may also help:

If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.

For general information on what to do if you have paid, see:

There are publicly available tools online that can check a computer's IP address. Getting IP addresses is a common behavior for malware - in the case of ransomware, it’s used as another scare tactic.

Ransomware, like other malware, can arrive in a variety of ways. However, in most instances it is automatically downloaded when you visit a malicious website or a website that's been hacked.

Despite its threatening nature, ransomware is still a type of malware. We recommend the same tips to help keep any malware out of your PC:

Some ransomware may leave your PC or files in an unusable state. We recommend you regularly backup your important files. You can do this with a cloud storage service such as OneDrive, which is now fully integrated into Windows 8.1 and Microsoft Office.

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see the question "What should I do if I've paid the scammers?" above.

The following might help you remove a ransomware infection from your PC.

Steps you can take once your PC has been cleaned

Make sure your PC is protected with antimalware software.

Microsoft has free security software that you can use:

If you don't want to use Windows Defender or Microsoft Security Essentials, you can download other security software from another company. Just make sure it is turned on all the time, fully updated, and provides real-time protection.

Examples of ransomware
Ransom:Win32/Adslock.A
Ransom:Win32/Cribit.A
Ransom:Win32/Crilock.A