Ransomware is one of the most damaging forms of malware in existence. It encrypts your files and demands payment — often in cryptocurrency — before attackers claim they will restore access. If your Windows computer has been infected, acting quickly and correctly can make the difference between a full recovery and permanent data loss. This guide walks you through exactly how to remove ransomware from Windows and secure your system against future attacks.
The moment you suspect a ransomware infection, disconnect your computer from the internet and any local network. Ransomware can spread laterally across shared drives and connected devices. Unplug your Ethernet cable and disable Wi-Fi from the taskbar. If your PC is part of a business network, notify your IT department right away. Isolation prevents the malware from communicating with its command-and-control server, which may also halt the encryption process if it hasn't fully completed.
Before attempting removal, identify which ransomware variant you're dealing with. Different strains — such as LockBit, WannaCry, STOP/Djvu, or Ryuk — behave differently and may have known decryption tools available. Upload a ransom note or a sample encrypted file to a free identification service like ID Ransomware (nomoreransom.org) to pinpoint the exact variant. This step is critical because using the wrong decryption tool can further corrupt your files.
To remove ransomware from Windows effectively, you need to prevent it from running in the background during cleanup. Restart your PC and boot into Safe Mode with Networking by pressing F8 during startup (or holding Shift while clicking Restart on Windows 10/11, then navigating to Troubleshoot > Advanced Options > Startup Settings).
Once in Safe Mode, run a full system scan using a reputable security tool. Webroot antivirus is an excellent choice here — it uses cloud-based threat intelligence to detect and quarantine active ransomware processes without relying solely on outdated signature databases. Its lightweight agent won't slow your recovery process. After Webroot installation completes, run a deep scan and allow it to remove all flagged threats before proceeding.
Ransomware rarely arrives alone. Many infections include trojans, keyloggers, or backdoors that remain active even after the primary ransomware payload is removed. After your initial scan, use the following steps to verify your system is clean:
Use the Windows Registry Editor (regedit) cautiously to look for persistence keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, but only remove entries you can positively identify as malicious.
Once the ransomware is fully removed, focus on recovering your data. Try these methods in order:
vssadmin list shadows. If ransomware didn't delete shadow copies, you can restore previous versions of files.Removing ransomware from Windows is only half the job. Preventing reinfection requires a layered cybersecurity strategy:
If the ransomware has encrypted critical business data, spread across a network, or you're unsure whether the system is fully clean, contact a professional incident response team. Attempting DIY recovery on a compromised enterprise environment can destroy forensic evidence and worsen the damage. Many cybersecurity firms offer emergency ransomware response services. For home users, your internet security software provider's support line is a good first call — Webroot, for example, offers guided remediation support as part of its protection plans.
Ransomware is a serious threat, but with the right tools, a calm approach, and strong preventive habits, you can recover your system and significantly reduce your risk of becoming a repeat victim.
Millions of products with fast shipping — find what you need today.
Disclosure: Some links on this page are affiliate links. We may earn a commission if you make a purchase through these links, at no additional cost to you.
Handpicked resources from across the web that complement this site.