How to Remove Ransomware Without Paying

It is the worst feeling in the world. You turn on your computer, and instead of your desktop, you see a red screen with a countdown timer.

“Your files are encrypted. Pay $500 in Bitcoin to get the key.”

Your heart sinks. Your photos, your work, your documents all locked with a weird file extension like .locked or .crypz.

First Rule: Do NOT pay the ransom. There is zero guarantee they will give you the key (they are criminals, after all). Plus, paying marks you as a “sucker” who will pay again.

If you are reading this on your phone because your PC is infected, take a deep breath. Here is the step-by-step procedure to remove the infection and attempt to recover your data safely.

Step 1: The “Emergency Brake” (Disconnect Immediately)

Ransomware is designed to spread. It looks for other computers on your Wi-Fi, your connected hard drives, and your cloud storage (Dropbox/OneDrive).

Action:

Pull the Ethernet cable out of your PC immediately.
Turn off Wi-Fi.
Unplug any USB drives or external hard drives right now. If you leave them plugged in, they will get encrypted too.

Do not shut down the PC yet unless you see the hard drive light blinking furiously. Sometimes, shutting down can corrupt the encryption process, making files permanently unrecoverable.

Step 2: Enter “Safe Mode with Networking”

You cannot fight the virus while Windows is running normally the virus is likely defending itself. You need to enter Safe Mode.

Restart your computer.
While it boots, hold Shift and click Restart (on the login screen).
Go to Troubleshoot > Advanced Options > Startup Settings > Restart.
Press 5 or F5 for Safe Mode with Networking.

[Insert Screenshot: The Windows Blue Screen ‘Startup Settings’ menu]

Step 3: Remove the Infection (The Clean Up)

Note: This step removes the virus so it can’t do more damage. It does NOT unlock your files yet.

Do not try to find the virus file manually. Ransomware hides deep in the System folders. Use a professional tool.

Download Malwarebytes or HitmanPro (use a USB drive from a clean computer if you can’t download on the infected one).
Run a Full Scan.
Quarantine everything it finds.

Step 4: The Recovery (Can You Get Files Back?)

Now that the virus is gone, you still have locked files. Here are your three options, from best to worst.

Option A: The Backup (The Only 100% Fix) If you have an external hard drive (that wasn’t plugged in) or a Cloud Backup (Google Drive/OneDrive) with “Version History,” you are saved.

Wipe your computer completely, reinstall Windows, and restore from backup. It is the only way to be 100% safe.

Option B: The “No More Ransom” Project (The Decryptors) Security companies (like Kaspersky, McAfee, and Europol) sometimes find “Master Keys” for specific ransomware.

Go to NoMoreRansom.org.
Use their “Crypto Sheriff” tool: Upload one of your encrypted files.
It will tell you exactly which Ransomware hit you (e.g., “GandCrab v5”).
If a Free Decryptor exists, they will give you the download link.

Warning: If they say “No solution available yet,” do NOT download random tools from Google. Those are often scams.

[Insert Screenshot: The ‘Crypto Sheriff’ upload page on NoMoreRansom]

Option C: Shadow Explorer (The Hail Mary) Sometimes, lazy ransomware forgets to delete Windows’ built-in “Shadow Copies” (automatic backups).

Download a free tool called Shadow Explorer.
Run it and look for a date before the infection.
If you see your files, right-click and Export them to a safe folder.

Step 5: The Hard Truth

If you don’t have backups, and NoMoreRansom doesn’t have a key, your files might be gone for now.

Do not delete the encrypted files. Back them up to a flash drive and wait.
Sometimes, researchers crack the code 6 months or a year later. You might get your data back in 2027.