How to terminate ransomware programs with Task Manager #
When should I use this guide?
If you are experiencing a ransomware attack, follow these three steps to identify and stop a potential ransomware program running on your Windows 10 computer:
Step 1. Open Task Manager
Step 2. Identify a ransomware program with Task Manager
Step 3. Terminate a ransomware program with Task Manager (End Task)
What to do if your device stops responding at any point:
- Hold down the device’s power button to stop it.
- Get professional help.
What is Task Manager?
Task Manager is a utility within Microsoft Windows 10 that provides you with an insight into what is running on your computer, including the allocation of resources and a quick way to close running programs. The example pictures in this guide show what Task Manager might look like when opened. The information presented for your system will be different.
If you are having trouble understanding the content in this guide, you can contact the NCSC by emailing: firstname.lastname@example.org
Step 1. Open Task Manager #
- If you are signed into your device, press and hold down at the same time the Ctrl, Shift and Esc keys on your keyboard.
- This will open the Task Manager window in simple view. Click the More details in the bottom left corner.
- This will open the Task Manager window in detailed view.
What to do if Task Manager does not open, or quickly closes when you open it:
Go to our guide on how to run a malware scan.
Some types of ransomware prevent Task Manager from opening to stop you from seeing details of its malicious software (malware) running on your computer.
Step 2. Identify a ransomware program with Task Manager #
It is important to remember that the programs visible in Task Manager may not be ransomware and may in fact be essential for your computer to run. Use the steps below to identify potentially suspicious programs before taking action.
Sorting information by Disk
An indicator that a program could be ransomware is its Disk usage.
- To determine which programs are using the highest amount of Disk resources, sort programs by Disk usage by clicking on the Disk heading in Task Manager. The programs are now listed by highest Disk usage to lowest.
Determine if Programs are Suspicious
Look at the top programs now listed in Task Manager by Disk usage (which is displayed in the Disk column in MB/s). Critically evaluate if they are suspicious, starting with the first program, using the following steps:
- Think: Do you recognise the program name? Indicators of potentially malicious programs include names with random letters, numbers and symbols or even misspelled common program names.
- Search: Using a separate safe device, perform an internet search using the key words Task Manager and the name of the suspicious Program (for example, “weirdXYZ”). Do the search results indicate that this is ransomware or malware? Or do they indicate it is a legitimate program?
- Look: Is the program using significantly more Disk resources compared to other programs in the list? Is it running at higher MB/s in comparison to other programs? Typically a ransomware program will run above 5MB/s. The program’s Disk usage might also be highlighted yellow or red.
- Decide: If the results of Steps 2 to 4 indicate the program is suspicious or ransomware, terminate the program using the instructions on the next page.
Note: Remember to use reliable and authentic sources of information, such as the manufacturer of the program, to clarify if a program is normal or suspicious.
Step 3. Terminate a ransomware program with Task Manager (End Task) #
Important: Read This Before Closing a Program:
Using the End Task feature will immediately close a program without saving any changes made to the program. If you are considering closing a program, you should be confident that you are making an informed decision based on the information and research you have found using the previous step. This will help prevent you from using the End Task feature on a program that keeps your computer running.
Using Task Manager’s detailed view
- If you can, write down the name of the program you have identified as suspicious and wish to close. Or take a photo of Task Manager using another device such as a smartphone. This information will aid in the recovery process.
- Right-click the suspicious program you wish to close and select End Task from the menu.This will close the program.