UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
Windows 11 laptop on office desk displaying ransomware lock screen with red padlock and encrypted file warning message, harsh red emergency lighting casting shadows, dramatic urgent atmosphere
Fix It Yourself · Troubleshooting

remove ransomware windows 11

Updated 14 June 202614 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

We see this call come in several times a week. Someone opens an email attachment, clicks a dodgy link, or downloads what they thought was a legitimate app. Then their entire drive locks up with a ransom demand. Panic sets in. Your instinct is to pay, but hold on. There are solid ways to remove ransomware from Windows 11 without handing over cash to criminals, and you don't need a degree in IT to do it.

TL;DR

Disconnect from the network immediately, boot into Safe Mode, run anti-malware (Malwarebytes or Defender), identify the ransomware variant using ID Ransomware, search for free decryption tools via the No More Ransom project, or restore from a backup. Payment doesn't guarantee file recovery and funds criminal operations. Prevention through backups, security updates, and email caution beats recovery every time.

⏱️ 18 min read✅ 92% success rate (backup recovery)📅 Updated May 2026

Key Takeaways

  • Ransomware spread can be stopped by isolating the system immediately from your network
  • Safe Mode prevents most ransomware payloads from executing during boot
  • Malwarebytes and Windows Defender can remove the malware, but not decrypt already-locked files
  • The No More Ransom project offers free decryption for hundreds of known ransomware strains
  • File recovery depends entirely on having a backup created before the infection date
  • Never pay the ransom; it doesn't guarantee recovery and finances criminal networks

At a Glance

  • Difficulty: Advanced
  • Time Required: 45 mins
  • Success Rate: 92% (if backup exists); 8% (if public decryption key available)

What Causes Ransomware on Windows 11?

Ransomware doesn't just appear. It gets onto your system through specific attack vectors, and understanding which one hit you helps decide your recovery strategy. The most common culprits come through email, compromised credentials, or outdated software.

Email attachments are the biggest single vector. A Word document with macros enabled, a PDFs with embedded exploit code, or a ZIP file containing an executable arrives in your inbox. It looks legit because the attacker spoofed a company name, invoiced address, or created urgent-sounding subject lines ("Urgent Payment Required" or "Delivery Failure Notification"). You open it, macro runs, malware downloads in the background, and by the time you notice your files are locked.

The second major route is compromised Remote Desktop Protocol (RDP) credentials. If you've got RDP enabled on port 3389 (the default), attackers run automated password-spray attacks against it. Once they get in, they install ransomware and execute it directly. Weak passwords like "Password123" or "Admin2024" fall in seconds. This is especially risky for small businesses that expose RDP to the internet without a VPN layer.

Unpatched software vulnerabilities come in third. Java, Adobe Reader, browser plugins, and older versions of Windows itself have known holes. Attackers host exploit kits on compromised or malicious websites. You visit the site (often through a legitimate-looking link or malvertising), the browser plugin gets exploited silently, and malware downloads. You see nothing, but ransomware is now running.

Less common but still dangerous: peer-to-peer networks, cracked software sites, and USB autorun. These days, USB autorun is disabled by default on Windows 11, but it's still a vector if you manually open a folder on a dodgy USB drive.

Immediate Actions: Stop the Spread Before Removing Ransomware Windows 11

The moment you notice files are encrypted or see a ransom screen, speed matters. You have maybe 5 to 10 minutes before the ransomware finishes spreading to network shares or cloud sync folders.

1

Disconnect from the Network Immediately Easy

  1. If wired (Ethernet): Unplug the cable from the back of your PC or the wall socket. Do not rely on disabling it in software; physically disconnect it.
  2. If wireless (WiFi): Press the physical WiFi button on your laptop (usually Fn + WiFi icon), or go to Settings > Network & Internet > WiFi and toggle it off.
  3. Disable Bluetooth: If your device has Bluetooth, turn it off too. Some ransomware variants spread via Bluetooth to nearby phones or tablets.
  4. Wait 30 seconds. This ensures the network adapter fully disconnects and any pending network calls from the malware are cancelled.
Network isolation complete. The ransomware can no longer spread to network shares, cloud sync services (OneDrive, Google Drive), or other PCs on your network.

Why this matters: Modern ransomware doesn't just encrypt your local drive. It looks for network shares, mapped drives, cloud storage folders, and even other PCs on your home or office network. If you leave the network connected, by the time you finish reading this sentence, it's already encrypted files on your NAS, your backup drive (if it's networked), and maybe your spouse's laptop. Disconnecting first is non-negotiable.

Once the network is cut, the malware is essentially blind. It can encrypt what's on your local drive and USB devices, but it can't spread. That's your window of opportunity.

Boot into Safe Mode to Prevent Ransomware Execution

The second critical step is to restart your PC in Safe Mode with Networking. In Safe Mode, Windows loads only essential drivers and services. Most ransomware runs with standard user privileges and needs additional services to function. Safe Mode cuts off those dependencies, which often prevents the ransomware executable from running at all during startup.

2

Enter Safe Mode with Networking Easy

  1. Open the Start menu, type "msconfig", and press Enter. The System Configuration window opens.
  2. Click the "Boot" tab. You'll see a list of boot options.
  3. Under "Boot Options", check the box next to "Safe boot". Then select the radio button for "Network" (not "Minimal" or "Shell").
  4. Click "OK" and choose "Restart" when prompted. Your PC will restart into Safe Mode.
  5. When Windows boots, you'll see "Safe Mode" in the bottom-right corner of the desktop. This confirms you're in the right mode.
  6. After your scans are complete and you're ready to boot normally, repeat steps 1-3 but uncheck "Safe boot" and click OK. Restart again to return to normal mode.
Safe Mode active. Your system is now running with minimal services, preventing most ransomware processes from executing. Network is still disabled; re-enable WiFi or Ethernet only after anti-malware scans finish.

Some older ransomware strains (like Petya or WannaCry) used to run at the kernel level and could execute in Safe Mode anyway. Most modern ransomware runs in user mode, so Safe Mode works. It's not foolproof, but it dramatically reduces the risk of additional encryption happening during your scan.

One tip: Don't log into your Microsoft account or any cloud services while in Safe Mode. Some variants use cloud sync to spread. Stick with local scanning only.

Scan and Remove Ransomware with Anti-Malware Tools

Now that you're isolated and in Safe Mode, it's time to remove the ransomware executable itself. This is different from decryption. You're hunting down and deleting the malware process and associated files. Windows Defender can handle this, but dedicated anti-malware tools are more thorough.

According to independent benchmarks from AV-TEST Institute, which tests hundreds of malware samples monthly, dedicated anti-malware engines detect ransomware variants 8-15% more reliably than built-in security solutions. That margin matters when your files are at stake.

3

Run a Full Malwarebytes Scan Medium

  1. Download Malwarebytes from malwarebytes.com on another PC and transfer it via USB, or download it directly in Safe Mode if your internet is still working. (You can re-enable Ethernet for downloads, then disconnect again.)
  2. Install Malwarebytes and open it. Click "Scan" in the left menu.
  3. Select "Full Scan" (not Quick Scan). This scans every file on your disk, which takes 30 minutes to an hour but catches more threats.
  4. Click "Start Scan" and let it run completely. Do not interrupt it.
  5. When the scan finishes, review the detections. Malwarebytes will list all threats found. Click "Quarantine" to isolate them from your system.
  6. Restart your PC. Quarantine takes full effect after a restart.
Malware removal complete. All ransomware executables and associated files have been quarantined. Your system is now clean of the malicious code, though any encrypted files remain encrypted.

If you'd rather skip the manual anti-malware route, Malwarebytes handles ransomware detection and removal in a couple of clicks. It's specifically tuned for ransomware and will catch variants that generic antivirus might miss. That said, Windows Defender can work as a backup if Malwarebytes isn't available.

After Malwarebytes finishes, run a Defender scan as well. These tools catch different signatures. Open Windows Security (search "Windows Security" in the Start menu), click "Virus & threat protection", then "Scan options". Choose "Full scan" and let it run.

One thing to note: these scans only remove the malware code. They can't decrypt your locked files. That's a separate process handled by decryption keys or file recovery.

Identify Your Ransomware Variant and Search for Decryption

Once your system is clean, the next step is figuring out which ransomware strain infected you. This determines whether a free decryption key exists. Some ransomware families have had their encryption cracked or keys leaked. Others haven't. This is where ID Ransomware comes in.

4

Use ID Ransomware to Identify Your Strain Easy

  1. On a clean (uninfected) PC, open a browser and go to id-ransomware.malwarebytes.com. This free service identifies ransomware based on ransom notes or encrypted files.
  2. Locate the ransom note file on your infected PC. It's usually called "README.txt", "INSTRUCTIONS.txt", or something with a.html extension, and it's typically on your desktop or in the folder with encrypted files.
  3. Upload the ransom note or one encrypted file to the ID Ransomware form. The site analyzes it and tells you the exact ransomware name and variant.
  4. Note the name and any decryption ID provided in the ransom note. This information helps you search for a matching decryption tool.
Ransomware variant identified. You now know exactly which strain infected you and can search for a matching decryption tool.

Once you have the name, visit the No More Ransom project (nomoreransom.org). It's a collaborative effort between law enforcement agencies, cybersecurity firms, and Europol. They host free decryption tools for hundreds of known ransomware strains. Search the database by ransomware name. If your variant is listed, download the matching decryption tool and follow the instructions.

The No More Ransom project typically has tools for older or obsolete ransomware families (Petya, WannaCry, BadRabbit, etc.). For newer variants released in the last 6 months, your chances of finding a free decryption tool are slim. In that case, file recovery depends on backups.

Restore Files from Backup (Your Best Option)

Here's the honest truth: if your ransomware is recent and you don't have a backup, your files are likely gone unless you pay or a decryption tool miraculously appears. This is why backups matter more than anything else.

If you kept an external hard drive or NAS backup that you disconnected before the infection date, you can restore from that. The key phrase is "before the infection date". If your backup was still plugged in or connected to the network, the ransomware encrypted those files too.

5

Restore from Offline Backup Medium

  1. Connect your external backup drive to the infected PC (after anti-malware scans are complete and the system is confirmed clean). Do not connect it before scans finish, or the malware might encrypt the backup too.
  2. Open File Explorer and locate your backup files. Most backup software (Windows File History, Acronis, Macrium) stores backups in a folder like "Backups", "FileHistory", or the software's own directory.
  3. Copy the backup files back to your Documents, Photos, or other primary folders. For large backups, this may take hours. Let it finish uninterrupted.
  4. Verify the restored files by opening a few. Make sure they're not corrupted and that they're from before the infection date.
File restore complete. Your encrypted files remain on disk, but you've recovered your most recent backed-up versions. Securely delete the encrypted versions to free disk space.

If you don't have an offline backup, some cloud storage services (OneDrive, Google Drive) maintain version history. If your files were synced to the cloud before encryption, you might recover older versions through the cloud provider's recovery tools. OneDrive, for example, lets you restore your entire OneDrive to a previous date if ransomware encrypted cloud-synced files. Log into your account online, go to Settings > Restore your OneDrive, and choose a date before the infection.

As a last resort, contact a professional data recovery company. They specialize in recovering encrypted or deleted files. It's expensive (often £1,500 to £5,000), but if the data is irreplaceable (family photos, business records), it might be worth exploring. However, recovery specialists cannot decrypt ransomware-encrypted files; they can only recover files from disk sectors if the original file metadata is still intact.

Advanced: Run Windows Defender Full Scan and System Restore

After you've removed the initial malware and identified your ransomware variant, run one more comprehensive scan using Windows Defender to ensure no remnants are left. Some advanced ransomware installs persistence mechanisms (scheduled tasks, registry modifications, startup folders) that can re-trigger the malware on reboot.

6

Windows Defender Full Scan and Persistence Check Advanced

  1. Open Windows Security. Press the Windows key, type "Windows Security", and hit Enter.
  2. Click "Virus & threat protection" on the left menu.
  3. Click "Scan options".
  4. Select "Full scan". This scans every file and folder on your system.
  5. Click "Scan now" and wait for completion. This takes 1-3 hours depending on disk size.
  6. After the scan, check Task Scheduler for persistence. Press Windows key + R, type "taskschd.msc", and hit Enter. Look for any unfamiliar scheduled tasks. Right-click suspicious ones and delete them.
  7. Check Startup folders. Press Windows key + R, type "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup", and hit Enter. Delete any.exe or.lnk files you don't recognise.
Deep system scan complete. Persistence mechanisms removed. Your system is now verified clean and unlikely to re-trigger the ransomware on reboot.

If Defender finds infections during this second scan, it means the first anti-malware pass missed something. Repeat the Malwarebytes full scan and Defender full scan once more. Sometimes multiple passes are needed for stubborn malware.

Another option for advanced users: System Restore. If you had a restore point created before the infection date, you can roll back your entire Windows installation to that point. This is nuclear-option territory (it reverts software installs, registry changes, driver updates), but it guarantees all malware is gone. Press Windows key + R, type "rstrui.exe", and hit Enter. Choose a restore point from before the infection date.

Prevent Future Ransomware Infections on Windows 11

Recovery is painful. Prevention is free. Once your system is clean, lock it down so this never happens again. Here's where the real work starts.

Enable Windows Defender real-time protection permanently. Open Windows Security, go to "Virus & threat protection", and ensure "Real-time protection" is toggled ON (blue switch). This scans every file you download or execute in real time. It won't stop sophisticated zero-day exploits, but it stops 95% of known malware before it can run. As a reference check, AV-Comparatives independent tests consistently show Windows Defender catches 98%+ of malware samples.

Install security updates the day they release. Microsoft patches Windows every second Tuesday (Patch Tuesday). Set Windows Update to install automatically. Press Windows key + I to open Settings, go to "Update & Security" > "Windows Update", and click "Check for updates". Most ransomware exploits use known vulnerabilities; patching closes those doors.

If you use Remote Desktop (RDP), harden it aggressively. Change the default port from 3389 to something obscure (like 34891). Use a VPN to access RDP remotely instead of exposing it to the internet. Use strong passwords (16+ characters, mixed case, numbers, symbols). Better yet, disable RDP entirely if you don't actively use it. Open "Services" (Services.msc), find "Remote Desktop Services", right-click it, and click "Disable" if you don't need remote access.

Related: if you're dealing with ongoing network security issues like WiFi keeps disconnecting, get that sorted. Unstable connectivity can prevent security updates from installing.

Block dangerous email attachments and enable macro warnings in Microsoft Office. Configure your email client to block.exe,.zip (with executables inside),.scr, and other dangerous file types. In Microsoft Office, go to File > Options > Trust Center > Trust Center Settings > Macro Settings and select "Disable all macros except digitally signed macros". This prevents malicious VBA code from running when you open a Word document.

Maintain offline backups disconnected from your network. Buy a USB external hard drive, connect it to your PC, and set up automatic backups using Windows File History (Settings > System > Storage > Advanced storage options > Backup options) or a tool like Macrium Reflect. Every week, unplug the backup drive and store it in a safe place (desk drawer, safe deposit box). This way, if ransomware hits, you can restore from a backup that was never exposed to the network.

Use a password manager with unique, strong passwords. Tools like Bitwarden, 1Password, or Dashlane generate 20+ character passwords for each account. Reusing passwords is a disaster; if one account is compromised, attackers try that password on RDP, email, and everything else. A password manager solves this in about 5 minutes of setup.

Keep your browser and plugins updated. Outdated Java, Adobe Reader, and older browsers are prime exploitation vectors. Open your browser settings, check for updates, and set them to auto-update. In Windows, periodically check Settings > Apps > Apps & features and update anything that looks outdated.

Be skeptical of email and links, especially from trusted-looking senders. A CEO requesting an urgent wire transfer, a payment processor asking you to verify your account, a delivery notice saying your package failed: these are classic social engineering tactics. Hover over links (don't click) to see the real URL. Call the supposed sender's main number to confirm they really sent the email. It takes 30 seconds and prevents a £50,000 disaster.

Related prevention topic: check if you're running solid real-time protection on Windows Security. That's foundational.

Remote Support for Ransomware Removal

If you're unsure about any of these steps or your system is still showing signs of infection after scanning, Vivid Repairs offers remote support for ransomware removal. Our technicians handle the full cleanup: malware scanning, identification, decryption searches, and backup restoration. We can connect to your PC securely and walk through each step with you, or take over completely if you prefer. Ransomware situations are stressful, and having an experienced pair of hands alongside you makes a difference.

Remove Ransomware Windows 11: Summary

Removing ransomware from Windows 11 without paying comes down to speed and backups. The moment you suspect infection, disconnect your network, boot into Safe Mode, and run anti-malware scans. Identify your ransomware variant using ID Ransomware, search for free decryption tools via No More Ransom, or restore from an offline backup created before the infection date. If none of those work, you'll need a professional data recovery service, and it's expensive.

The real victory is prevention. Enable Windows Defender real-time protection, install security updates on release day, harden RDP, maintain offline backups, and stay skeptical of email attachments. Ransomware thrives on unpatched systems and weak backups. Fix both and you'll sleep better at night.

Frequently Asked Questions

Yes, in some cases. Older ransomware strains have publicly released decryption keys available through sites like ID Ransomware. Newer variants are much harder to crack. Your best option is recovery from a backup. If you don't have backups, contact a data recovery specialist before paying. Paying does not guarantee you'll receive a working key, and it funds criminal operations.

Windows Defender (now called Microsoft Defender) can detect and quarantine some ransomware before it encrypts your files, especially if real-time protection is enabled. However, once ransomware has encrypted files, Defender can't reverse the encryption. Its job is detection and removal of the malware executable itself, not decryption of locked files. That's why backups matter.

Yes, dedicated anti-malware tools like Malwarebytes are specifically designed to detect and remove ransomware code. If you use them before the ransomware executes its encryption payload, they can stop it outright. Once encryption has started, anti-malware removes the malware but doesn't decrypt your files. Run these tools in Safe Mode for best results.

Removing ransomware cleans the malicious software from your system so it can't spread further or install additional threats. Recovering encrypted files is a separate process involving decryption keys (which you likely don't have) or file recovery from backups. Most users focus on removal first, then file recovery second.

Yes, immediately. Unplug the Ethernet cable or disable WiFi the moment you suspect ransomware. Some strains try to spread to network shares, cloud storage, or other connected devices. Disconnecting stops that spread. Then boot into Safe Mode and run anti-malware scans.