Ransomware stops you from using your PC. It holds your PC or files for "ransom". This page describes what ransomware is and what it does, and provides advice on how to prevent and recover from ransomware infections.
You can also read our blog about ransomware: The 5Ws and 1H of ransomware.
On this page:
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
Prevent you from accessing Windows.
Encrypt files so you can't use them.
Stop certain apps from running (like your web browser).
Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
No. These warnings are fake and have no association with legitimate authorities. The message uses images and logos of legal institutions to make the it look authentic.
There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.
How to recover your files depends on where your files are stored and what version of Windows you are using.
Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.
OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features.
To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.
OneDrive for Business customers should see the Manage document versions help article on the Office help site.
You need to have turned on File History (in Windows 10 and Windows 8.1) or System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. In some cases, these might have been turned on already by your PC manufacturer or network administrator.
Some ransomware will also encrypt or delete the backup versions of your files. This means that even if you have enabled File History, if you have set the backup location to be a network or local drive your backups might also be encrypted. Backups on a removable drive, or a drive that wasn't connected when you were infected with the ransomware, might still work.
See the Windows Repair and recovery site for help on how to enable file recovery for your version of Windows.
If you've been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tool mentioned in the MMPC blog:
You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:
In Australia, go to the SCAMwatch website
In Canada, go to the Canadian Anti-Fraud Centre
In France, go to the Agence nationale de la sécurité des systèmes d'information website
In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website
In Ireland, go to the An Garda Síochána website
In New Zealand, go to the Consumer Affairs Scams website
In the United Kingdom, go to the Action Fraud website
In the United States, go to the On Guard Online website
If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.
For general information on what to do if you have paid, see:
Your IP address is not usually hidden, and there are lots of tools online that will get it for you. It’s likely they used such a tool.
In most instances ransomware is automatically downloaded when you visit a malicious website or a website that's been hacked.
For other ways malware, including ransomware, gets on your PC, see:
Install and use an up-to-date antivirus solution (such as Microsoft Security Essentials).
Make sure your software is up-to-date.
Avoid clicking on links or opening attachments or emails from people you don't know or companies you don't do business with.
Ensure you have smart screen (in Internet Explorer) turned on.
Regularly backup your important files.
You can backup your files with a cloud storage service that keeps a history or archive of your files, such as OneDrive which is now fully integrated into Windows 10 and Windows 8.1, and Microsoft Office.
After you've removed the ransomware infection from your computer, you can restore previous, unencrypted versions of your Office files using "version history".
See the question "How do I get my files back?" above for more help on how to use this feature in OneDrive.
For more tips on preventing malware infections, including ransomware infections, see:
How to remove the ransomware depends on what type it is.
You can try to unlock your browser by using Task Manager to stop the web browser's process:
Open Task Manager. There are a number of ways you can do this:
Right-click on an empty space on the taskbar and click Task Manager or Start Task Manager.
In the list of Applications or Processes, click on the name of your web browser.
Click End task. If you are asked if you want to wait for the program to respond, click Close the program.
In some workplaces, access to Task Manager may be restricted by your network administrator. Contact your IT department for help.
When you open your web browser again, you may be asked to restore your session. Do not restore your session or you may end up loading the ransomware again.
See the question “How do I protect myself from ransomware” above for tips on preventing browser-based ransomware from running on your PC.
Method 1: Use the Microsoft Safety Scanner in safe mode
First, download a copy of the Microsoft Safety Scanner from a clean, non-infected PC. Copy the downloaded file to a blank USB drive or CD, and then insert it into the infected PC.
Try to restart your PC in safe mode:
When you're in safe mode, try to run the Microsoft Safety Scanner.
Method 2: Use Windows Defender Offline
Because ransomware can lock you out of your PC, you might not be able to download or run the Microsoft Safety Scanner. If that happens, you will need to use the free tool Windows Defender Offline:
See our advanced troubleshooting page for more help.
Make sure your PC is protected with antimalware software.
Microsoft has free security software that you can use:
If you have Windows 10 or Windows 8.1, your PC comes with antimalware software: Windows Defender.
If you’re using Windows 7 or Windows Vista, you should install antimalware software, such as Microsoft Security Essentials.
You can update Microsoft security software on our updates page.
If you don't want to use Windows Defender or Microsoft Security Essentials, you can download other security software from another company. Just make sure it is turned on all the time, fully updated, and provides real-time protection.
There are two types of ransomware – lockscreen ransomware and encryption ransomware.
Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.
Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.
Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.
That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:
Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
If you’re ever unsure – don’t click it!
Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
Check our frequently asked questions for more information about ransomware, including troubleshooting tips in case you’re infected, and how you can backup your files to help protect yourself from ransomware.
The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).
The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.
Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.
The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility.OneDrive for Business can assist in backing up everyday files.
Globally, ransomware continues to be a problem. In particular, we’ve seen increases in Italy and the eastern seaboard of the US.
The past six months (between December 2015 and May 2016) have seen the rise of Tescrypt globally. Crowti remains near the top of the pack, as does Brolo and FakeBsod.
Reveton has also dropped down the ladder, now at 1% of the top 10 share, down from 7% for the preceding 6 months.
Figure 1. Top 10 Ransomware (December 2015 to May 2016)
Figure 2. Top 10 Ransomware (June to November 2015)
For the top 10 countries with the most detections, the United States takes a full half of all detections. Italy is second, followed closely by Canada, Turkey, and the United Kingdom. After that the distribution is spread across the globe.
Figure 3: Top 10 countries (December 2015 to May 2016)
The greatest detections in the US were for FakeBsod, followed by Tescrypt and Brolo. Tescrypt was also prevalent in Italy.
Figure 4: Top detections in top countries (December 2015 to May 2016)
An example of the fake warning message is shown in Figure 5:
Figure 5: Message used by FakeBsod to lock your web browser
You can regain control of your web browser without paying anything by closing the warning message using the Task Manager.
When you reopen your browser, make sure you don't click Restore previous session.
Read more about this threat in the Ransom:JS/FakeBsod.A description.
I want to...