How to Identify If Ransomware Infected Your Computer

September 13, 2020 • Shannon Flynn


Knowing how to identify ransomware could save your computer and your data. Ransomware is a kind of virus that locks your files using encryption, then demands a ransom, asking for payment in exchange for access to your data.

These viruses have been around for a while. Recently, however, ransomware attacks have become much more common over the past few years. While most ransomware attacks go after large organizations, they sometimes target individuals, too.

It’s possible to remove the ransomware and get access to your files without paying the ransom. To do this, however, you’ll first need to identify the ransomware targeting your system.

How Does Ransomware Work?

Encryption algorithms work by encoding the data in a file or message so that it can only be read by people who have the right key needed to decode the data. Typically, people use these encryption algorithms to secure data so that only certain parties can read it.

However, it’s also possible for a malicious program to use encryption to effectively lock you out of your own files.

Ransomware programs will usually claim to have the key needed to decrypt these files. Not every ransomware program will decrypt files when you pay up, however. Some viruses are also buggy, and may even delete data after the ransom is paid.

This is why most organizations recommend that you not pay the ransom and find other ways to regain access to your files.

How Can I Identify Ransomware?

Typically, you’ll know if ransomware has infected your system. Ransomware, because its creator wants to get paid, will almost always announce itself. Most viruses do this by automatically pulling up a file called a ransom note. This note tells you that your files have been locked and will include instructions on how to pay the ransom.

You may also first notice that your files have been encrypted, either because they’re unusable or have a strange filename. Ransomware often changes the extension or adds a prefix, like “Lock.” to the front of encrypted files. 

If ransomware has infected your computer, you should be able to remove it from your system with most modern antivirus software. Windows Defender, Malwarebytes or any popular antivirus software should work.

Removing the ransomware won’t decrypt your files, however. Because each variant of ransomware may encrypt files differently, it’s important to know which virus you’re up against. This will give you the best chance of finding resources to decrypt your files.

There are a few ransomware ID tools available on the internet. For example, you can use the ID ransomware tool from Malware Hunter Team and the Bitdefender Ransomware Recognition tool. These tools also sometimes link to decryption tools that you can use once you’ve removed the ransomware from your system.

However, these tools aren’t guaranteed to work every time. You may also need to use the symptoms of your virus — like the ransom note’s appearance or extension on locked files — to ID the malware using a ransomware list.

For example, both Avast and Comodo maintain lists of ransomware variants that include the file extensions these viruses use. Avast’s list also contains relevant decryption tools.

Identifying Ransomware on Your System

Ransomware, because it locks up your files, can be a serious problem. Once you remove the ransomware from your system, you will still need to ID the particular variant that infected your computer. Otherwise, you won’t be able to find the tools necessary to decrypt your files, if a system restore point or backup isn’t available.

There are a few different ransomware ID tools and lists available online. With the right information — like the extension on locked files — you can use these resources to know which variant is on your system.