![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed but there are some exceptions. The malware developers usually do this to make it more difficult for security researchers to find and analyze their malicious payload. That also explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, many victims don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware which could still be present on the infected computer.
However, some crypto malware (i.e. STOP/Djvu Ransomware) are known to leave behind malicious components leaving behind malicious components that will encrypt any new files saved and re-encrypt any files victims previously managed to decrypt. Other ransomware (i.e. Phobos Ransomware) are very aggressive and do not end on a single run...they will run multiple times ensuring repeated infection. There are a few ransomwares that will store a victim's master key in the registry and if removed, the next time the computer is restarted, the ransomware could create a new master key and begin encrypting files again. That means encrypted data by two different keys.
Therefore it is recommended to isolate the infected computer from other devices and thoroughly check the system to ensure no such malicious components have been left behind. IT folks and advanced users who are ransomware victims can use Farbar Recovery Scan Tool (FRST), an advanced specialized tool designed to investigate for the presence of malicious and suspicious files. FRST logs provide detailed information about your system, registry loading points, services, driver services, Netsvcs entries, known DLLs, drives, partition specifications and will also list system files that could be patched by malware.
There are a few ransomware variants that will add an entry to Run and RunOnce Registry Keys so the malicious executable or ransom screen always displays itself on each restart of the computer. In such cases, victims should look for a related entry under the Startup tab in Windows System Configuration Utility (msconfig) or use a tool such as Autoruns to search for and remove any malicious entries.
Important Note: Some ransomware have been known toinstall password stealing Trojans on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more. It is imperative that you change all passwords for your computer to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one.
Disinfection will not help with decryption of any files affected by the ransomware.
.
Before doing anything, it is recommended to create a copy or image of the entire hard drive or remove the hard drive, store it away and replace it with a new hard drive then a fresh install of Windows. Doing that allows you to save the complete state of your system including all encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is developed in the future.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)