How to Recover Files After a Ransomware Attack

Warning: If you are reading this because your screen is currently locked with a ransom note, STOP. Do not click anything. Do not pay. Follow Step 1 immediately.

Finding your files encrypted with a .locked, .crypt, or random file extension is a nightmare scenario. Your first instinct is to panic or pay the ransom. Do not do either.

Paying the ransom does not guarantee you will get your files back (criminals are liars, after all), and it funds future attacks.

In 2026, we have better tools. This guide will walk you through the exact process cybersecurity professionals use to neutralize the threat and recover data without paying a cent.

Phase 1: Immediate Containment (Do This Now)

Before you try to “fix” anything, you must stop the bleeding. Ransomware is designed to spread. If one computer is infected, every other device on your Wi-Fi is at risk.

1. Pull the Plug (Literally)

• Ethernet: Unplug the network cable immediately.

• Wi-Fi: Turn off the Wi-Fi on your laptop or pull the power cord of your internet router.

• Why: Ransomware needs the internet to “talk” to the hacker’s server and generate encryption keys. Cutting the connection can sometimes stop the encryption process halfway, saving some of your files.

2. Disconnect External Drives

• If you have a USB drive, external Hard Disk, or SD card connected to the PC, unplug it immediately.

• Danger: Modern ransomware specifically hunts for backup drives to encrypt them too.

3. Do NOT Reboot (Yet)

• Some ransomware types (like Jigsaw) have a “dead man’s switch.” If you restart the computer, they may delete 1,000 files as punishment. Only reboot if your IT expert tells you to.

Phase 2: Identification (What Are We Dealing With?)

You cannot find a cure if you don’t know the disease. There are over 1,000 variants of ransomware (Ryuk, STOP/Djvu, WannaCry, Phobos). You need to know exactly which one you have.

1. The “ID Ransomware” Test You don’t need to be a coder to figure this out. Use the free tool created by security researchers.

• Step A: Take a photo of the ransom note on your screen with your phone.

• Step B: On a clean device (like your phone or a different PC), go to ID Ransomware.

• Step C: Upload the ransom note text file (usually called _README.txt or RESTORE_FILES.txt) and one encrypted sample file.

• Step D: The site will tell you the exact name of the virus (e.g., “This is STOP Djvu variant .mole”).

[Insert Screenshot here: The ID Ransomware upload screen showing a successful identification]

Phase 3: The Recovery Options (Can You Decrypt?)

Once you know the name of the virus, you have three paths forward.

Path A: The Free Decryptor (Best Case Scenario)

Security companies like Emsisoft, Avast, and Kaspersky often crack ransomware codes and release free “Keys.”

1. Go to the No More Ransom Project (Supported by Europol and McAfee).

2. Use their “Decryption Tools” search bar.

3. Type in the name of your ransomware (found in Phase 2).

4. If a tool exists: Download it, run it, and it will unlock your files for free.

   • Note: This works well for older ransomware versions.

Path B: The “Shadow Volume” Miracle (Windows Only)

If the ransomware was lazy, it might not have deleted your “Shadow Copies” (Windows’ internal backup system).

1. Download a free tool called ShadowExplorer.

2. Run it and look for a date before the infection (e.g., yesterday).

3. Right-click a folder (like “Documents”) and select Export.

4. If it works, you get your clean files back instantly.

Path C: The “Offline” Restoration (If All Else Fails)

If there is no decryptor and Shadow Copies are gone, your only option is to wipe the computer and restore from an external backup (Google Drive, Dropbox, or a USB hard drive).

• Crucial Warning: Do NOT plug your backup drive into the infected computer yet. You must “Format” (erase) the infected computer first to ensure the virus is gone.

Phase 4: Eradication (Cleaning the PC)

Even if you get your files back, the virus is likely still hiding in your system, waiting to strike again. You cannot trust this computer until it is cleaned.

1. Enter “Safe Mode”

• Restart your PC and hold Shift while clicking “Restart” (Windows 10/11).

• Select Troubleshoot > Advanced Options > Startup Settings > Restart.

• Press 4 to start in Safe Mode.

2. Run a Malware Scan

• In Safe Mode, run a deep scan using Malwarebytes or HitmanPro. These tools are better at finding ransomware remnants than standard antivirus software.

• Quarantine and delete everything they find.

Summary Checklist for Victims

1. Disconnect Internet immediately.

2. Photograph the ransom note (then ignore it).

3. Identify the virus using ID Ransomware.

4. Check No More Ransom for a free key.

5. Wipe and Re-install Windows if no key exists.

Final Advice: The only 100% cure for ransomware is a Cold Backup. Buy a cheap external hard drive, copy your photos to it once a month, and unplug it. If it’s not plugged in, the hackers can’t touch it.