How to Remove Ransomware From Your Windows PC

Published: January 28, 2026  |  webrootsafe.com  |  Cybersecurity & Malware Protection

Ransomware is one of the most damaging forms of malware in existence. It encrypts your files and demands payment — often in cryptocurrency — before attackers claim they will restore access. If your Windows computer has been infected, acting quickly and correctly can make the difference between a full recovery and permanent data loss. This guide walks you through exactly how to remove ransomware from Windows and secure your system against future attacks.

Step 1: Disconnect From the Network Immediately

The moment you suspect a ransomware infection, disconnect your computer from the internet and any local network. Ransomware can spread laterally across shared drives and connected devices. Unplug your Ethernet cable and disable Wi-Fi from the taskbar. If your PC is part of a business network, notify your IT department right away. Isolation prevents the malware from communicating with its command-and-control server, which may also halt the encryption process if it hasn't fully completed.

⚠ Do Not Pay the Ransom
Paying does not guarantee file recovery. It funds criminal operations and marks you as a willing target for future attacks. Explore all technical recovery options first.

Step 2: Identify the Ransomware Strain

Before attempting removal, identify which ransomware variant you're dealing with. Different strains — such as LockBit, WannaCry, STOP/Djvu, or Ryuk — behave differently and may have known decryption tools available. Upload a ransom note or a sample encrypted file to a free identification service like ID Ransomware (nomoreransom.org) to pinpoint the exact variant. This step is critical because using the wrong decryption tool can further corrupt your files.

Step 3: Boot Into Safe Mode and Run a Full Scan

To remove ransomware from Windows effectively, you need to prevent it from running in the background during cleanup. Restart your PC and boot into Safe Mode with Networking by pressing F8 during startup (or holding Shift while clicking Restart on Windows 10/11, then navigating to Troubleshoot > Advanced Options > Startup Settings).

Once in Safe Mode, run a full system scan using a reputable security tool. Webroot antivirus is an excellent choice here — it uses cloud-based threat intelligence to detect and quarantine active ransomware processes without relying solely on outdated signature databases. Its lightweight agent won't slow your recovery process. After Webroot installation completes, run a deep scan and allow it to remove all flagged threats before proceeding.

✔ Pro Tip: If your primary antivirus was disabled by the ransomware, use a secondary offline scanner such as Windows Defender Offline or Malwarebytes in conjunction with Webroot for a thorough sweep.

Step 4: Check for and Remove Residual Malware

Ransomware rarely arrives alone. Many infections include trojans, keyloggers, or backdoors that remain active even after the primary ransomware payload is removed. After your initial scan, use the following steps to verify your system is clean:

Use the Windows Registry Editor (regedit) cautiously to look for persistence keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, but only remove entries you can positively identify as malicious.

Step 5: Attempt File Recovery

Once the ransomware is fully removed, focus on recovering your data. Try these methods in order:

  1. Check backups: Restore from a clean backup stored on an external drive or cloud service that was not connected during the attack.
  2. Shadow Copies: Open a Command Prompt as administrator and run vssadmin list shadows. If ransomware didn't delete shadow copies, you can restore previous versions of files.
  3. No More Ransom Project: Visit nomoreransom.org — law enforcement agencies and security firms regularly publish free decryptors for known ransomware families.
  4. Professional data recovery: If encryption is complete and no decryptor exists, a specialist firm may be able to recover partial data from disk sectors.

Step 6: Harden Your System Against Future Attacks

Removing ransomware from Windows is only half the job. Preventing reinfection requires a layered cybersecurity strategy:

When to Seek Professional Help

If the ransomware has encrypted critical business data, spread across a network, or you're unsure whether the system is fully clean, contact a professional incident response team. Attempting DIY recovery on a compromised enterprise environment can destroy forensic evidence and worsen the damage. Many cybersecurity firms offer emergency ransomware response services. For home users, your internet security software provider's support line is a good first call — Webroot, for example, offers guided remediation support as part of its protection plans.

Ransomware is a serious threat, but with the right tools, a calm approach, and strong preventive habits, you can recover your system and significantly reduce your risk of becoming a repeat victim.

More Articles

Sponsored

Shop Top-Rated Products on Amazon

Millions of products with fast shipping — find what you need today.

Disclosure: Some links on this page are affiliate links. We may earn a commission if you make a purchase through these links, at no additional cost to you.

Related

Further Reading

Handpicked resources from across the web that complement this site.