Recovering from Screen-Locking Ransomware

Screen-locking ransomware holds your computer hostage by blocking your access to the operating system. When you turn the computer on all you can see is a ransom note or a message claiming to be from an official source such as the FBI. The note will ask for payment in order for you to be able to use your computer again. 

There is a good chance that this infection happened when you visited a malicious website, clicked a malicious link or opened an infected attachment. 

Screen-locking ransomware - Do this First!

Before we start trying to remove the ransomware and give you back access to your files it is important to do the following:

  1. Disconnect your device from all other devices and the internet to stop the infection spreading any further. Unplug all other devices such as external hard drives and USBs. Disconnect from the wireless or wired internet connection.

  2. Use a camera or a smartphone to take a picture of the ransom note. This will make sure you have a copy should you have any issues further down the line and help reporting the crime to the police.

Am I going to get my data back? 

Screen-locking ransomware is one of the least effective forms of ransomware. It is common that victims can remove the infection and recover their files. The cyber criminals are trying to scare you into paying the ransom and hoping they come across people who do not know how to get back to normal without paying the ransom. 

By following the steps below you have a good chance of getting your computer and data back. 

Should I Pay the Ransom? 

Our advice is not to pay the ransom, but this is a tricky area. Paying the ransom funds the criminals and perpetuates ransomware as a form of cyber attack. There is also no guarantee that you will receive the information you need to decrypt your files (if the files have actually been encrypted, which doesn’t always happen with screen-locking ransomware) and once a criminal knows you are good for money you become a future target. 

As there is a good chance of getting back to normal with screen-locking ransomware, it is best to focus on following the steps below before you consider payment. For more information on paying a ransom see our advice here

Approaches to Removing Screen-Locking Ransomware

Depending on the type of ransomware you have there are a number of different ways to try and get your files decrypted. Follow the steps below and stop once you have recovered your files. If you don’t feel confident performing the steps below get help from someone with more IT experience.

Note that removing the ransomware will not decrypt the files and once you remove the ransomware you may remove the ability to pay the ransom and recover your files. Only remove the ransomware if you are confident you can get your files back or you are determined not to pay the ransom.

  1. Restart your computer in Safe Mode and remove the virus with an anti-virus solution - Safe Mode only allows trusted software and processes to run on the computer. This means that malware will not be able to operate. Once in safe mode you can download an anti-virus tool (or use if you already one) to remove the malware.

  2. Try the System Restore feature - many Windows computers will allow you to use the System Restore feature to return to the last known good state. The Microsoft guide on System Restore can be found here. If you can't reach the recovery screens but you have the installation disk or USB stick for that version of Windows, reboot from that and select Repair Your Computer instead of installing the operating system.

If you are not able to remove the infection with these steps, try some of the additional steps here

Report the Crime

If you are in England, Wales or Northern Ireland you should report all cyber crime to Action Fraud. In Scotland, you can see details of reporting to Police Scotland here.

How Do I Avoid being infected with screen-locking ransomware again?

  1. Back-Up – having a back-up copy of your files is the best way to beat ransomware. Get an external hard drive and do a regular back-up of your device. Make sure you disconnect the external drive after use to make sure it doesn’t get infected too. It is also worth using a cloud service that automatically backs-up your files.

  2. Use a good antivirus solution – this will stop the majority of old versions of ransomware and give you an option to remove quickly if new ransomware gets through.

  3. Do your updates ASAP – when software updates are available do them as quickly as possible. If possible turn on automatic updates. The majority of these updates include security fixes that may stop or limit ransomware.

  4. Trust no one – be extremely careful about clicking links or opening attachments in your email or any other messaging platform. Legitimate email accounts can be hacked and used to send malicious messages and emails can be designed to look exactly like they are from your bank, shop, account etc. Get Safe Online has a good overview of email security here.


To help people like you we rely 100% on donations from people like you.

Without donations we cannot keep our service free and provide help to the most vulnerable victims of cyber crime when they need it most. As a not-for-profit organisation, 100% of your donation goes towards keeping The Cyber Helpline up and running - so 100% goes towards helping people like you. Donate now and help us support victims of cyber crime. 

To help people like you we rely 100% on donations from people like you.