Ransomware

Ransomware is a type of malware that stops you from using your PC until you pay a certain amount of money (the ransom).
It is often called "FBI Moneypak" or the "FBI virus" as it often uses the FBI or local police logos and asks you to pay using Green Dot MoneyPak.
There are two types of ransomware.

Lock screen ransomware - which uses a full-screen image or webpage to stop you from accessing anything on your PC.
Encryption ransomware - which locks your files with a password, stopping you from opening them.
Most ransomware shows a notification that says your local authorities have detected illegal activity on your PC. They then demand you pay a "fine" to avoid prosecution and to get access to your files again.
Note: Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will return your PC to a usable state. The threat of prosecution does not come from a legitimate authority.
There is more information about removing a ransomware infection below.

Examples of ransomware

Frequently asked questions

Is it true that the legal authorities in my area have detected illegal activities in my PC?

No. These warnings are fake and have no association with legitimate authorities. The operators of ransomware use the tone, images and logos of legal institutions to give their scam an air of legitimacy.

I cannot access my PC or my files. Should I just go ahead and pay to regain access?

We don’t recommend you pay the fine. There is no guarantee that handing over the ransom will give you access to your files again. Paying the fine could also make you a target for more malware.

What should I do if I've paid the scammers?

You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.
The following government-initiated fraud and scam reporting websites may also help:

• In Australia, go to the SCAMwatch website
• In Canada, go to the Canadian Anti-Fraud Centre
• In France, go to the Agence nationale de la sécurité des systèmes d'information website
• In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website
• In Ireland, go to the An Garda Síochána website
• In New Zealand, go to the Consumer Affairs Scams website
• In the United Kingdom, go to the Action Fraud website
• In the United States, go to the On Guard Online website

If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.
For general information on what to do if you have paid, see:

• What to do if you are a victim of fraud

How did the scammers know my IP address?

There are publicly available tools online that can check a computer's IP address. Getting IP addresses is a common behavior for malware - in the case of ransomware, it’s used as another scare tactic.

How did ransomware get on my PC?

Ransomware, like other malware, can arrive in a variety of ways. However, in most instances it is automatically downloaded when you visit a malicious website or a website that's been hacked.

How do I regain access to my computer or files?

Ransomware have different behaviors and have to be removed in different ways. There is more help on removing an infection below.

How do I protect myself against ransomware?

Despite its threatening nature, ransomware is still a type of malware. We recommend the same tips to help keep any malware out of your PC:

• Install and use an up-to-date antivirus solution (such as Microsoft Security Essentials)
• Make sure your software is up-to-date (here's a short list of common software)
• Don't click on links or open attachments from untrusted sources

Some ransomware may leave your PC or files in an unusable state. We recommend you regularly backup your important files. You can do this with a cloud storage service such as Skydrive, which is now fully integrated into Windows 8 and Microsoft Office.

How do I remove a ransomware infection from my PC?

The following two methods might help you remove a ransomware infection from your PC.

• Method 1: Use the Microsoft Safety Scanner
  Before you begin, you will need to have access to a PC that is not infected and is connected to the Internet so that you can download a copy of the Microsoft Safety Scanner.
  Try to restart your computer in safe mode. Here's how:
  
  • In Windows 8
  • In Windows 7
  • In Windows Vista
  • In Windows XP
  If you can’t restart your PC in safe mode, run the Microsoft Safety Scanner and restart your PC afterwards.
  If this resolves your ransomware infection, there are a few steps you should take once your PC has been cleaned.
  If this does not resolve your ransomware infection, follow Method 2.

• Method 2: Use Windows Defender Offline
  If you’ve tried the Microsoft Safety Scanner and uninstalling then reinstalling your antimalware software and you’re still having an issue, we recommend you download and run Windows Defender Offline.
  Windows Defender Offline is a standalone tool with the latest antimalware updates from Microsoft.
  It’s not a replacement for a full antivirus or antimalware solution that provides ongoing protection. It’s meant to be used when you can’t start or scan your PC because a malware infection is stopping your security software from working.
  Before you begin you will need:
  
  • A PC that is not infected and is connected to the Internet. You will use this PC to download a copy of Windows Defender Offline.
  • A blank CD, DVD or USB flash drive - use this to run the tool on your infected PC.
  Follow these steps to use Windows Defender Offline:
  
  1. Use an uninfected PC to download a copy of the tool from here: Windows Defender Offline
     Make sure you download the right version for your PC. For example, your desktop PC has been infected with malware. It is running a 64-bit version of Windows. Your friend's laptop, however, is not infected, and so you use that to download Windows Defender Offline. Your friend's laptop is running a 32-bit version of Windows, so when you download the tool you choose the 64-bit version because that is the version that matches your desktop PC.
  2. Install the tool on a blank CD, DVD, or USB flash drive.
  3. Insert the CD, DVD, or USB flash drive into your infected PC and run the tool.
  4. Let the tool clean your PC and remove any infections it finds.

After running the tool, make sure your antimalware software is up-to-date. You can update Microsoft security software by downloading the latest definitions.
For detailed instructions on using Windows Defender Offline, see the Microsoft Security Blog post Microsoft's Free Security Tools - Windows Defender Offline.

Steps you can take once your PC has been cleaned

• If you’re running Windows 8, your PC comes with Windows Defender built in. Windows Defender helps guard your PC against viruses, spyware, and other malicious software in real time.
• If you’re running Windows 7 or Windows Vista, install security software, such as Microsoft Security Essentials or other security software that provides a complete, real-time antimalware solution.
• Keep your antimalware software up-to-date by making sure you have the latest definitions