Zetta Blog


How to Remove Ransomware After an Attack

by Maggie Getova

Ransomware: What Is It and What Can You Do to Recover?

Ransomware is computer malware (sometimes referred to as a virus) that blocks access to files, usually by encrypting them. The attackers send a message directing users to send them money via hard-to-trace bitcoins, and the attackers send the encryption key in exchange (if the user is lucky). Hackers usually trick users into installing the ransomware via email or downloads on an endpoint device. If the PC is networked, the malware can also spread to other devices, and the network itself might be the point of attack.

It’s bad enough when a home user gets hit for several hundred dollars to ransom their locked-down data. It’s quite another when a hapless employee downloads ransomware that proceeds to spread throughout the company network; the consequences can be very severe for businesses.

Unfortunately, this is hardly a rare occurrence. The FBI estimates that there are over 4000 ransomware attacks occurring every day in the United States alone. Ransom payments and lost time and productivity cost businesses and individuals $1 billion in 2016.

Hollywood Presbyterian Hospital is just one of these ransomware victims. They experienced a serious ransomware attack in February of 2016, during which their doctors could not access patient medical records, and incoming patients had to be transported to other hospitals. Going too long without access to patient data can have very dire consequences for hospitals, and hackers are very well aware of that. They demanded $17,000 in bitcoins for the encryption key, and after two weeks of trying to recover on their own, the hospital gave in and paid the hefty ransom.


The Three Stages of a Ransomware Attack

Some ransomware attacks lock a computer screen until the user pays up. But the most common type of ransomware is 3-step cryptoviral extortion. There are three stages:  

  1. The attacker generates a pair of encryption keys. He puts the public key in the malware program and sends it to his pirated email list. The malware usually presents itself as an attachment or a download link.
  2.  The victim receives the email and opens it, at which point the malware generates a random key, called a symmetric key. The malware then encrypts the victim's data and the public key encrypts the symmetric key. Without the keys the data remains encrypted and unavailable to the victim.
  3. The malware generates a message to the victim demanding an amount of money and tells them exactly where and how to send it. If the user pays, the attacker deciphers the public key with his private key, and sends the encryption code to the user… if the user is lucky. Sometimes the attacker may not even bother sending it.


Notable Ransomware Types

When dealing with ransomware, it helps to know what type, strain, or family of ransomware you are dealing with, since every ransomware type has a signature and varies in its encryption method - and some are more difficult to remove than others. By knowing what you’re facing you can determine the most effective ways and tools you can use to remove the ransomware from your machine without having to pay the ransom.



Locky is currently one of the most widespread ransomware families, and first came about in 2016. This was the ransomware which became famous for getting the Los Angeles hospital to pay up $17,000 after taking down their network. Locky spreads through Word or Zip files attached to spam emails. Once the user clicks on the file, he/she is prompted to enable Office macros, which then lets the malware run on their machine. After the files are encrypted, Locky puts the ransomware note on the user’s desktop wallpaper, which lists instructions on the steps he/she needs to take to pay the ransom.

Locky Ransomware Note




TeslaCrypt is a ransomware which first appeared in 2015. As of May 2016, TeslaCrypt attacks were responsible for 58% of ransomware attacks, according to Kaspersky Lab’s quarterly report on malware. When TeslaCrypt first appeared, it encrypted video game files generated by games like World of Warcraft, and held users’ machines for ransom for $500. Eventually, security researchers created a tool which allowed users to decrypt their files on their own. Interestingly, in 2016 the hackers in control of TeslaCrypt released the master decryption key and stopped spreading the ransomware:  

Teslacript ransomware note




Cryptowall first came on the scene in 2014 and has gone through some different versions since then, including CryptoDefense, CryptoBit, CryptoWall 2.0, 3.0, etc. This ransomware stands out among others as it gives users the ability to decrypt a single file through a one-time-use service to demonstrate that they need a decryption key to recover access to their files. The ransomware is spread through couple of different methods, including in emails which appear to come from financial institutions, other spam mail, and web pages which show malicious ads. Cryptowall demands that its victims pay $700, which doubles after it isn’t paid within a week to $1400. The most recent version of the ransomware, Cryptowall 4.0 has changed its code to help it avoid antivirus detection, and encrypts both the data and file names.

Cryptowall ransomware note




First seen in mid-2014, this ransomware’s creators spread it to victims through an affiliate program. The authors manage the ransomware, and affiliates pay a fee to access it and find victims through spam email campaigns of their creation or malicious sites linked to exploit kits. The ransom note also has the option to appear in a number of different European languages, which makes it a popular international ransomware type (most infections take place in North America, Western Europe and Australia). Once the user’s data has been encrypted, CTB-Locker displays the ransom note on the computer desktop wallpaper. The user is given 96 hours to make the payment.

CTB Locker Ransom Prompt




This ransomware strain was first seen in 2014 and used spam emails in order to spread to victims. Not only does TorrentLocker encrypt the victim’s files and demand payment, it also spreads spam emails containing the virus to the contacts it finds in the user’s system. This strain of ransomware tries deleting Windows volume shadow copies, which the user can use to restore an older version of their data before the ransomware hit. TorrentLocker typically demands about $550 to be paid in Bitcoin from the victim within three days.

TorrentLocker ransom note



CryptoLocker - No Longer Active

We can’t talk about ransomware without mentioning CryptoLocker. Notable for being the first ransomware which encrypted data with different and randomly generated symmetric keys for each file, this instance of ransomware first came about in 2013. The ransom note demands payment, so the user can receive a private asymmetric key necessary to decrypt their data. If the victim failed to pay the ransom within their given timeframe, the price increased to approximately $2300. Fortunately, Cryptolocker ended in 2014 with the help of a U.S. Department of Justice operation. It’s estimated that the hackers involved received about $3 million or more in ransom payments prior to being shut down.

Cryptolocker ransomware note



Should We Just Pay The Ransom?

No matter what type, once ransomware hits and starts to spread through the network, many businesses decide to pay as a cost of doing business. The philosophy is the same as avoiding litigation: it is often cheaper to settle instead of going to trial. IBM Security recently reported that nearly 70% of businesses paid hackers if the encrypted data was critical to the business such as customer records, financial data, or intellectual property.

This may work in the short term, but in the long term this response is shortsighted. Paying the hackers encourages them to keep on doing it to other victims. Instead, protect your data against attack with backup, security, and ransomware removal tools. Don’t buy into their extortion game.


How to Prevent Ransomware Attacks

Proactivity is key when it comes to ransomware prevention. Here are some steps you should take in order to ensure your organization doesn’t get hit by ransomware:

  • Don’t download attachments from unknown senders. Most ransomware attacks come from downloading files and giving permissions to applications to run on your machine, which then install the ransomware.
  • Stay up to date. Be sure to keep your application, OS, browser and plug-ins all up to date. Hackers take advantage of users who have out of date software to infiltrate their systems through those vulnerabilities.
  • Secure your machine. Use an anti-virus program and Firewall at all times. These will help prevent malware like ransomware from getting installed onto your machine.
  • Keep a copy of your data offsite. That ensures that if a ransomware hits your machine you can recover it in its latest version and return to running as usual.

For a full list on ransomware prevention tips and keeping your machine protected, check out our Ransomware Prevention Checklist.


The Importance of Backup

Backup is critical when it comes to recovering from a ransomware attack. Doing regularly scheduled backups allows you to immediately recover and replace the encrypted data with the latest version of your data. For example, ransomware hit one company. Just six months earlier they had invested in continuous backup using a backup appliance. The appliance was not in the infected data stream, and in a few hours the company had wiped infected drives and restored from server images and backed up data.

Cloud-based backups also work very well to protect backups and restore good data to an infected environment. Set proactive policies and schedules, since the more often you backup your data, the less data you will lose in the event of an attack.


Find out how Zetta's patented technologies help you recover data fast.

Zetta DataProtection


By the way, be careful not to confuse file synchronization services such as Google and OneDrive to actual backup. If your data has been encrypted, then an automatic sync will simply distribute that encrypted data. Only backup that captured the data before the ransomware infection can be used to replace encrypted files, and only backed up server and PC images will quickly restore machines and applications.


Ransomware Removal Tools for Business

If an attack does occur and you cannot simply wipe and restore your data, then ransomware removal tools are your best defense. Most of these tools are consumer freeware. They can still work for business, since business attacks usually occur from an employee’s email or a browser page. If the tool is activated before the malware spreads through the network, then you can recover most if not all the encrypted data without paying the hacker the ransom.

However, if the damage has reached the network or originated in the network, there are more sophisticated products that IT departments should have ready.


SMB and Mid-Sized Ransomware Removal Tools


Enterprise and Ransomware

The enterprise shop has different security requirements. The enterprise -- and legally regulated business of any size -- should establish an information security team, InfoSec. Heavy-duty offerings like IBM Security Operations and Response Platform is an example, and many companies sign up with security consultants who monitor and remediate threats from a NOC.

No matter which security tools you use, remember that backup is one of the best defenses when it comes to dealing with the aftermath of a ransomware attack. Invest in a backup platform or backup service that fully backs up your critical data on a daily basis, and restores it quickly in the event of corruption or encryption. That way if ransomware ever attacks your system, it becomes a mere annoyance instead of serious hit that could damage business.

Maggie Getova
Maggie G

Maggie is a content writer and editor at Zetta. She writes for the blog and manages web content.