It’s one of the most dreaded malware experiences you can have: Your computer freezes on a screen message that demands money or all your data will be destroyed. Ransomware is a serious problem, but it is possible to recover from it.
CSO’s Steve Ragan has deliberately infected a computer with the Locky ransomware so he can show you step-by-step how you might get your data back on a Windows 10 system. Note that this process assumes you have backed up your computer prior to the ransomware attack. A summary of the video follows.
0:16 – Reboot Windows 10 to safe mode. Hold down the Shift button, and click Restart. When the computer's back up, you'll see that you have three options to pick from. Click Troubleshoot. Once that screen comes up, click Advanced Options and then Startup settings. From there, click Restart.
This will put your computer into a selective boot mode. Once the computer boots out of BIOS and comes back into the operating system, you're going to be shown a list. This list requires your function keys: F1, F2, etc. Press F4 for Safe mode.
2:35 – Install anti-malware software. Once Safe mode is loaded, you need to install some anti‑malware. Steve downloaded and installed Malwarebytes and HitManPro, Both are free. The goal is to find and remove Locky, though there's no guarantee.
3:00 – Scan the system to find the ransomware program. The passive scan with Malwarebytes detected and removed Locky, requiring a reboot. The reboot returns you to the normal desktop. At this point, boot back into Safe mode and open Malwarebytes again.
Select the Custom scan. Configure that to scan all of drive C and all of drive E if you suspect the malware resides there as well. On the left side of the screen, check the box that says Rootkits and then hit Scan. This scan will take some time. Then run HitmanPro to see if it finds anything that Malwarebytes missed.
4:55 – Restore the computer to a previous state. Right‑click and go to System. Click on System Protection, and you see System Restore. You should see an an automatic restore point from before the computer was infected. Once started, you can't stop.
Right‑click on the Start button and go to Control Panel. Select Backup and Restore to restore your files from a backup. Hit Restore and Finish.