By Ivy / Last update August 27, 2020

Recent years, the ransomware WannaCry (also called WannaCrypt, WanaCrypt0r and Wana DeCrypt0r) has infected more than 1,600 million computers around the world. Its variations may be more threatening. Everyone should take actions against ransomware virus now. If your computer is infected, do not panic. You can follow this ransomware removal guide to remove it in Windows 7/XP/Vista.

About Ransomware Virus

Ransomware is a type of malware that takes control of your computer and demands money (usually in bitcoins). There are two types of ransomware, one is encryption ransomware like WannaCry, the other is lockscreen ransomware that locks up your full-screen to prevent you using your computer and files like Petya.

If you can’t remove ransomware virus after infected, or cannot recover locked or encrypted files. Here come the solutions.

What Should You Do after Infected?

If you see the alert “Oops, your files have been encrypted” and ask you to pay 300 dollar worth bitcoins to decrypt the files, then your computer is infected with WannaCry virus. 

WannaCry Virus

Follow the below steps to remove ransomware virus and restore files.

1. You should immediately disconnect from the internet in case the virus spreads to another computer within your network.

2. Block port 445. because WannaCry virus infects the computer via TCP port 445 which opened by the system by default, so does to Petya variant virus.

3. Remove virus manually.

4. If you have created backups of your files and system, you can directly restore to an earlier state where there is no virus.

How to remove encryption ransomware like WannaCrypt?

After disconnected internet and block port 445, please remove Ransomware virus with follows:

Remove virus manually

If you are familiar with Windows settings and configurations, you can manually delete the virus. You can check Task Manager, Windows Startup configuration, and Registry if there is any suspicious process or strings. If you find one, disable it and delete the files.

Then type %AppData%, %LocalAppData%, %ProgramData%, %WinDir% individually in the Windows Start search box, it will open a folder in File Explorer and then delete the recently created files. Then type “%Temp%”, and then delete everything from that folder.

Temp Folder

You can also use security tool Microsoft Safety Scanner to perform a full scan and help you remove the ransomware virus. However, it does not provide real-time virus protection. If your computer is running Windows 7, you can download Microsoft Security Essentials to guard your PC against viruses and malware. In Windows 10/8/8.1, built-in safety tool Windows Defender can help you do that.

If you can’t remove virus manually, you could try to use the professional ransomware decryptor tool to decrypt the encryption files, like Kaspersky, Phobos ransomware decryptor, Gandcrab ransomware decryption tool, etc.

Restore system and files from the previous backup

If you create backups before for your files and system, you could restore files easily:

1. At PC startup, press F8 repeatedly to enter Advanced Boot Menu.

2. Select Repair Your Computer and press Enter.

Repair Your Computer

3. You may need to log on with your Windows account, and then click System Restore.

System Restore

If you have Windows installation disc or system repair disc, you can also boot your computer from it to use recovery options.

If you have no backups, you should create a backup now and then try to remove the virus in case that variations of WannaCry delete all your encrypted files. The decryption tool is probably in the way. Once it is out, you can have you files back.

Backup your files in PE mode

If you did not create backups before, please backup files in Windows PE environment.

To backup files without the virus running, you should perform the backup under Windows PE mode. The backup image has to have a special format which is not in the ransomware target list. Therefore, we recommend you AOMEI Backupper Free for ransomware WannaCry.

Backup files with AOMEI Backupper Free

1. Download this free backup software and run it. Connect a USB flash drive or CD/DVD.

2. Click Create Bootable Media and then create a bootable disk as instructed.

Create Bootable Media

3. Restart your computer. When you see the computer logo, press a specific key repeatedly to bring out Boot Menu and set it to boot from the boot media.

4. When it fully loads AOMEI Backupper, click Backup and then select “File Backup” to backup your files. You can also select Partition Backup to backup one or more partitions.

File Backup

5. Click Add File or Add Folder to include the items you want to backup.

Select Files to Backup

6. Click Step 2 to specify the target location to receive the backup image.

7. Click Start Backup to start this backup.

How to remove lockscreen ransomware like Petya

Lockscreen ransomware blocks you from accessing Windows and any files in it. If Ransomware Petya infects your computer, about an hour it will reboot your computer and start to encrypt files. During the reboot, you should shut down your PC to prevent files being encrypted. If you miss that chance to shut down your computer, then you can run anti-virus software in Safe Mode.

1. Use a working computer to download anti-virus software like Microsoft Safety Scanner on a USB flash drive or CD.

2. Connect it to your computer that is infected.

3. At computer startup, press F8 to enter Advanced Boot Menu. Then select Windows Safe Mode.

4. In safe mode, open the security tool to scan your PC and then remove the ransomware virus.

Once again, if you have created backups beforehand, you can restore your PC to earlier date to remove the virus and get control of your PC.

How to Prevent Ransomware in the Future?

Ransomware should not be able to touch your PC if it is running a fully updated copy of Windows, including WannaCry, the largest cyber attack in history. Therefore, you should:

1. Download and install the Windows patch MS17-010.

2. Update Windows to the latest version.

3. If you do not or cannot update Windows, you can disable 445 port and turn off SMB feature.

4. Always enable the firewall and update anti-virus software.

5. Backup your computer on a regular basis. 

After you remove ransomware virus fully, you should create a backup of your system and files. Although backup may seem an old routine, it is the most effective defense against ransomware or any other unexpected issues.