How to spot Ransomware before it encrypts your computer

Keep in mind, SpyHunter’s malware detection tool is free. To remove the infection, you'll need to purchase its full version. More information about SpyHunter and steps to uninstall.

Computer suddenly becomes very slow and CPU and Memory usage skyrockets

Encryption is a very slow and resource consuming process – the more the data stored the slower it will be for the Ransomware to encrypt it. If your computer suddenly becomes much more sluggish then usual it is a very good idea to open you Task Manager and look for what is causing the problem. Any unfamiliar program or process that takes a huge chunk out of your CPU is most likely a ransomware virus!

If Windows randomly announces that files are ready to be burned on a disk be on your guard

This is an unintended feature of some Ransomware viruses, which are set to target .ini files. What is actually happening is that Windows detects a change in the files located in the temporary directory used to burn files – located in C:\Users\\AppData\Local\Microsoft\Windows\Burn\Temporary Burn Folder.

The burn directory is not actually completely empty – it contains a file called desktop.ini, which is required by Windows in order to begin the burning process. This file is ever-present and will be there even if you don’t plan to burn anything or even lack the DVD required to do so. If the Ransomware affecting your computer is configured to target .ini files it will attack desktop.ini, encrypt it, then delete it and put a new encrypted file in its place. Windows immediately register that a new file has been put in this location and it assumes that it is a file you want to burn – hence the pop-up warning.

Ransomware detected – now what?

Immediately open your Task Bar and look for any suspicious or unfamiliar processes operating on your computer. Shut down any such processes quickly. Such processes are likely to use a large amount of CPU power and memory.

  • Ransomware is sometime able to masquerade as legitimate Windows processes (in name), but please note that most ransomware is written as a 32bit application, while most Windows users are using 64bit versions of Windows. The Ransomware should have a *32 next to the process name, making it easier to spot. Processes connected to the ransomware are also likely to contain descriptions that are out of the ordinary for a Windows processes, so please look out for those too.

If you fail to spot anything OR if shutting down doesn’t help and they just restart you should immediately turn off your computer and reboot it in Safe Mode (click on the link to use the guide if you don’t know how to do it already).

With Safe Mode enabled boot Windows as normal. Once it does press the Windows Key and type msconfig in the search field, then hit enter. A window that looks like this will pop-up:



Startup —> Uncheck entries that have “Unknown” as Manufacturer or look suspicious to you. Processes required by Windows are never included in this tab – anything that appears to be Windows related or has Microsoft listed as a manufacturer is almost certainly the Ransomware.

You will likely encounter a lot of online users claiming they can decrypt your files. There is a good chance this is a complete scam. You can read more here how to spot the decryption scammers.


So far you’ve hopefully managed to stop the ransomware from encrypting the rest of your files, but it is still present in your computer.

The best course of action now is to find and download a good anti-malware program to scan your computer and remove all traces of the Ransomware program. If you are looking for a recommendation please click on one of the banners on our page.