Ransomware Payment Help: How to remove it and restore files

Published on
May 23, 2019
In this guide we explain everything you need to know about ransomware, how to prevent an attack and how to get your device recovered. As a last resort, and only after you have researched and understood the risks of paying an attacker, we can help you pay your ransom in digital currency, which is the most common form of payment requested.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.

What is ransomware?

Ransomware generally involves the act of encrypting data or preventing access to your computer or personal files, with the attackers instructing a ransom payment to be made before access is returned. Payment is often required in digital currency like bitcoin, gift card codes or less commonly via credit card.

Malware, short for “malicious software”, is software is designed specifically to disrupt, damage or gain unauthorised access to your computer. This guide focuses on malware that is used to lock-out users from computers or their files for ransom.

You can fall victim to ransomware attacks in the same way as other malware or viruses, such as visiting unsafe websites, clicking on untrustworthy links from social media or opening emails and files from unknown or fraudulent email addresses.

In short, ransomware infects an endpoint device such as a computer, attempts to distribute more instances of itself as far as it can reach through any additional networks that are connected, seizes and locks access to files before finally offering an ultimatum to the victum. ''Pay up or lose access''.

Detecting ransomware

At first, it might not seem apparent that you have contracted ransomware. Your computer may seem slower or you may have already lost access to certain documents or files. Error messages like “Unknown file type” become more common. 

In other, more obvious cases, everyone in your organisation will get completely locked out of your system or shared drive. A message confirming the ransomware attack usually follows, providing instructions for payment in order to have the files decrypted and made accessible once again.

Encryption ransomware, commonly referred to as cryptoware, is the most common type of ransomware. Other types of ransomware attacks include mobile ransomware that infects smartphones, non-encrypting ransomware that locks screens and restricts access to certain files and leakware or extortionware, where the attacker gets your data and threatens to release it if the ransom isn’t paid. 

As more and more ransomware attacks demand cryptocurrency as a form of payment, other types of attacks requesting are also on the rise. Chief among them is cryptojacking, which embeds software on a computer, mobile device or web browser and uses the machine’s resources to mine cryptocurrency. These types of attacks don’t usually demand ransom payments, as instead they attempt to avoid detection in order to use a computer’s processing power to mine and earn cryptocurrencies. 

How serious is ransomware? 

If you’ve been infected with ransomware, you are not alone. By 2017, ransomware attacks on businesses jumped from one attack every 2 minutes to one attack every 40 seconds. This figure is expected to rise to one attack every 14 seconds in 2019 and one every 11 seconds by 2021. 

The cost of dealing with ransomware is growing too. For businesses, the average cost of a ransomware attack is $133,000. All said, this emerging threat costs businesses $75 billion every single year. And that’s just in the United States.

Since the vast majority of companies that fall victim to ransomware attacks already run up-to-date anti-virus software, many just end up paying the ransom because they have no other option.

Most governments explicitly recommend against paying any sort of ransomware because it invites future attacks. The rationale is that, once hackers know that an organisation pays the ransom, they will repeat their attacks for more money. 

Refusing to pay the ransomware reduces the likelihood of future attacks, but usually at a significant cost. In addition to the cost of recovering your data, it could take weeks or even months to purge the malicious software from the system. And there is a risk that it’s a fraudulent claim and you’ll never get your data back even after payment is made. Damages directly related to ransomware are said to be anywhere in the vicinity of $11.5 billion

cryptolocker message
Example of the CryptoLocker message provided to victims

Common ransomware software

One of the most common ways to get ransomware on your computer is from malicious spam or malspam, which is software that sends out mass emails to unsuspecting victims, usually with a corrupt file attachment in a PDF or Word document, or a link to a website. It often tricks customers into opening the attachment or link by disguising the sender as someone they know or an institution they trust.

Recent cases of malware include CryptoLocker (pictured above) and WannaCry, which encrypted computer drives and completely prevented any function or use without entering a special key or password. Cyber criminals who ran these scams requested a fee in exchange for the password to restore the device.

A CryptoLocker variant by the name of TeslaCrypto also wreaked havoc on organisations back in 2016, where it accounted for nearly half of all ransomware attacks. This ransomware targeted files associated with videos games.

Ransomware by the name of SimpleLocker targeting Android devices has also seen a large spike in incidence rates. SimpleLocker was the first known ransomware to deliver a malicious payload through a trojan downloader, putting it well ahead of the curve of existing security measures.

Written by
James O'Donoghue
Operations and Growth

The eternal-bull crypto trader. James drives operations and growth at HiveEx

Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.

What to expect if you’ve been attacked by ransomware

Although ransomware attacks are constantly evolving, most follow a predictable pattern that includes infection, the creation of cryptographic keys (passwords), encryption (locking out users), extortion (demands for payment) and unlocking (releasing access back to the user). 


Once you’ve unknowingly downloaded ransomware, it will attempt to further deploy its way through any connected network it can access and extend to infect other computers, servers or devices. 

Creation of cryptographic keys

Once the ransomware gains access to the command server of a computer or system, it will generate cryptographic keys, or a string of bits (numbers and letters) made by applying an algorithm. This process will transfer files and plain text into a cipher text (non-readable information) and vice versa.


Once the cryptographic keys are created, the ransomware will run software to encrypt files on all the machines associated with the network, using the cryptographic key that was created. 


Once the ransomware has successfully encrypted your files and network, it will instruct you on how to regain access to your devices. Usually, you are given an ultimatum: pay the ransomware or permanently lose all of your data. As the files were encrypted using the cryptographic key that the malware generated, there is likely no way to decrypt information without this key.


Although law enforcement officials expressly recommend against paying the ransomware, some people and organisations end up meeting the attacker’s demands. If ransomware is paid, cyber criminals usually restore access to the affected files. If you don’t pay the ransom you can try to recover your system using backups and other techniques. Unfortunately, there’s no guarantee these methods will work. 

It's important to understand that there is no guarantee that paying a ransom will result in the return of access to your files (see 'understanding risk' below).

Steps you can take if affected by ransomware

To attempt to remove ransomware on your own, the first step should be to run an antivirus program that can attempt to locate the malware and purge it from the system. If you’re facing a locked screen, you may need to run a virus scanner from an external USB drive. 

Since many varieties of ransomware prevent you from entering your system or running programs, a full System Restore might be a better option. System Restore essentially rolls back your entire system to an earlier time without affecting personal files. If you use Windows, System Restore is enabled by default. Simply follow the instructions for enabling System Restore on the version of Windows you’re currently running. 

If you’re not facing a locked screen and can open your system, you should check to see if your files have been encrypted or merely hidden. In Windows 8 or higher, you can check by opening a File Explorer window, selecting the View tab and checking Hidden Items

If none of the above work and you’re still reluctant to pay the ransomware, you can hire a professional technician to remove the malware. This option won’t be cheap, but it can prove to be a valuable step if you still can’t access your system.

Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.

HiveEx can help

It’s important to understand that, while HiveEx has no association with those responsible for ransomware attacks and demands, we are specialised in trading cryptocurrencies and are extremely familiar with the acts of sending, receiving and safely storing cryptocurrency funds. With so many attackers demanding their ransom be paid in cryptocurrency, we can make this unfortunate scenario as seamless as possible. 

Despite generally having trade minimums of $50,000 as a cryptocurrency OTC broker, we feel strongly about helping people in need who seek both advice and assistance in reviewing options and facilitating any payment demands of a ransomware, should they choose. The HiveEx team offers expertise to such an extent, lowering our trade minimums for those affected. 

If desired, HiveEx can facilitate the conversion of fiat dollars into cryptocurrency such as Bitcoin, and provide guidance on how to make the payment to an address supplied by the ransomware attacker.

If you choose to go down this path, it’s important to review your security solutions after the fact to minimise the chance of any future attack. After all, it’s well established by now that hackers seek out organisations that appear more vulnerable than others. Law enforcement officials recommend implementing basic security safeguards, as this alone can weed out most attacks. 

Remember: hackers are far less likely to spend their time and resources attacking a secure computer system. By starting with the basics, you can lower their incentive to make your organisation a target. 

HiveEx client onboarding 

If paying the ransomware makes sense for you, HiveEx will take you through a step-by-step process to attempt regaining access your files. They include:

Free consultation 

If you’ve been infected with ransomware, contact us for a free consultation. Depending on your time zone, we can provide feedback as quickly as 24-48 hours. If your attacker demands a cryptocurrency payment, we can help. We’ll need to know the size of the ransom so we can plan ahead. 

Set up an OTC trading account

Following KYC/AML checks as required under the Australian Government’s AUSTRAC regulation guidelines, the onboarding process begins by helping you set up an OTC cryptocurrency trading account at our firm. The process takes five minutes and your account can be approved within 24 hours. Given your special set of circumstances, minimum trading requirements will be waived. 

Fund your account and convert money into cryptocurrency. 

Once your account is approved and set up, you can deposit the ransom amount directly into your account using bank or wire transfer. The funds will then be converted from your national currency (i.e., U.S. dollar, Australian dollar, euro, British pound) into cryptocurrency, such as bitcoin.

Pay the ransom

HiveEx will take you through the process step by step to securely send the cryptocurrency ransom to the wallet address supplied by the attacker. You will need to further open a digital wallet to accept cryptocurrency from HiveEx to then pay fees to the attacker. HiveEx can not send your crypto directly to an attacker.

Notify authorities 

If you decide to work with us to pay your ransomware attacker, we will notify the relevant authorities and document the transaction, including Scamwatch and Australian Cybercrime Online Reporting Network (ACORN).

Understanding risk

While paying off a ransomware attack to regain access to machines or locked data offers no guarantees, malicious actors have a pretty good track record of honouring the duress agreement. For the attackers, giving affected parties access to their machines after a ransomware payment increases the chance that future targets will also pay the ransom too. 

At the same time, it’s not enough to just take their word for it. It is recommended that you research the type of ransomware responsible for infecting your device or data, and to research the success rates of others against the same version. In doing your research, keep in mind that the same ransomware attacks may have been implemented by different groups that may not have any intention to honour any payments made.

It’s worth reminding again that law enforcement officials strongly recommend against paying ransomware because it only emboldens the hacker to strike again and for more money. Organisations that can bear the attack may be better off refusing to pay the ransom. If anything, this lowers the chance that they will be attacked again in the future. 

How to prevent a ransomware attack

While ransomware attacks may appear more sophisticated than other types of malware, preventing them can often be as simple as running a good antivirus program and updating all of your Windows applications, like Java and Adobe. Maintaining a clean browser can provide extra protection, and avoiding the use of traditionally regonised ‘dodgy’ websites. Ad-blocker browser extensions can also be a good idea. 

Now that you’ve learned more about ransomware, it’s a good time to check through the above steps that may help to reduce the risk of being impacted by malware, and take a chance to proactively ensure you have a solid backup system in place for the files and data that are vital to your business operation. Automated back-up systems can prove to be a good investment in against this type of problem. 

Your next steps

If you have been impacted by ransomware and would like assistance, we are here to help. Please contact the team using the form below, or submit an enquiry on our site.

In the event that you seek to pay ransomware, we will need to onboard you as a client to trade with us, processing time and to further pre-fund your account. Please feel welcome to ask any questions. 

While we are happy to assist you in meeting a ransomware demand, we cannot guarantee that paying the ransomware will get you your data back. We do not recommend or endorse any course of action. If you do decide to make use of our services, you do so solely at your own risk.

Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.
Important: If you seek to pay a ransomware, we will need to on-board you as a client to trade with us and to allow for time to prefund your account.

Enquire now and one of our traders will get back to you within 24 hours to answer any questions and assist with account set-up.

Learn more about Trading with HiveEx

HiveEx.com HQ is located in Sydney, Australia
Level 10, 99 York St, Sydney, Australia
ACN: 624 470 417
ABN 76 624 470 417

And Poland
Komandorska 12ul. Komandorska 12 (level 3) 50 – 022 Wrocław

View our privacy policy and terms and conditions

HiveEx is a trading name of Hive Empire Trading Pty Ltd, a subsidiary of Hive Empire Ventures Pty Ltd. Hive Empire Ventures (trading as Finder Ventures) is a related party of Hive Empire Pty Ltd, which owns and operates finder.com and finder.com.au

Hive Empire Trading Pty Ltd (trading as HiveEx.com) is registered with AUSTRAC, since April 23, 2018.

© Copyright 2019 Hive Empire Trading Pty Ltd
Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies and ICOs are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own independent legal, tax and accounting advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision.
Text Link