What to Do if You Get a Ransomware Warning or Encrypted Files

What Is Ransomware?

You try to open a file and get an error. Then you notice a text file on your desktop with a threatening message: "Your files have been encrypted. Pay $500 in Bitcoin within 48 hours or lose your data forever." Your heart sinks as you realize your photos, documents, and important files won't open.

You've been hit by ransomware—malicious software that encrypts your files and demands payment to unlock them. This is one of the most serious malware infections because it can result in permanent data loss. However, acting quickly and correctly can sometimes help you recover your files without paying.

Critical first step: Do NOT pay the ransom immediately. While it's tempting to pay to get your files back quickly, paying doesn't guarantee recovery and funds criminal operations. There are other options to try first.

Immediate Steps: What to Do Right Now

If you're seeing a ransomware message or notification right now, take these steps immediately:

1. Disconnect from the internet - Unplug your ethernet cable or turn off WiFi immediately. This prevents the ransomware from spreading to network drives or other connected computers
2. Don't turn off your computer - Keep it running for now. Some ransomware variants delete themselves after encrypting files, and forensic analysis may be needed
3. Take photos of the ransom message - Use your phone to photograph all ransom messages, file extensions, and any contact information. This helps identify the ransomware variant
4. Disconnect external drives - Unplug any USB drives, external hard drives, or other storage devices to prevent them from being encrypted
5. Isolate other devices - If this is on a network with other computers, turn off those devices until you've secured the infected one

Assess the Damage

Before deciding on a recovery strategy, understand what you're dealing with:

• Check what files are encrypted - Note the file extensions (they often change to strange extensions like .locked, .encrypted, .WNCRY, etc.)
• Identify the ransomware - Look at the ransom note for names or search the text online. Websites like ID Ransomware (id-ransomware.malwarehunterteam.com) can identify the variant if you upload the ransom note
• Document everything - Note when the infection occurred, what files are affected, and any ransom demands
• Consider reporting - Report to local authorities and the FBI's IC3 (ic3.gov), especially if it affects a business

Recovery Options

Option 1: Restore from Backups

If you have recent backups, this is your best option:

1. Do NOT connect backup drives to the infected computer yet
2. First, clean the infection from your computer (see removal steps below)
3. After confirming the malware is removed, restore files from your backup
4. Verify backup drives weren't encrypted too - ransomware can attack network-connected backups

Important: If your backups were connected to the network during the attack, they may be encrypted too. Cloud backups with versioning (like OneDrive, Google Drive, Dropbox) may let you recover previous versions of files.

Option 2: Try Free Decryption Tools

For some ransomware variants, security researchers have created free decryption tools:

1. Visit No More Ransom at nomoreransom.org - this project has decryptors for hundreds of ransomware families
2. Use the "Crypto Sheriff" tool to upload an encrypted file and ransom note
3. If a decryptor exists for your ransomware variant, download and run it following the instructions carefully
4. Also check security vendors like Kaspersky, Emsisoft, and Avast for free decryptors

Note: Decryptors only exist for some ransomware variants. Newer or actively developed ransomware often doesn't have decryption tools available yet.

Option 3: Check Windows Previous Versions

If System Restore was enabled, you might recover some files:

1. Right-click on an encrypted file or folder
2. Select "Properties" then the "Previous Versions" tab
3. If previous versions are listed, select the most recent one before the infection
4. Click "Restore" to recover the older version

This doesn't work for all files, but it's worth trying for critical documents.

Option 4: Professional Data Recovery

For valuable data, professional cybersecurity firms may help:

• Some firms specialize in ransomware recovery and may have tools or techniques not publicly available
• Costs can be significant ($500-$5,000+), but might be worth it for critical business data
• They can also help with forensic analysis to understand how the infection occurred

Removing the Ransomware

Before recovering files, you must remove the ransomware infection:

1. Boot into Safe Mode:
   • Go to Settings > System > Recovery > Advanced startup
   • Click "Restart now"
   • Choose Troubleshoot > Advanced options > Startup Settings > Restart
   • Press 4 or F4 to start in Safe Mode
2. Run Anti-Malware Scans:
   • Download Malwarebytes (from a clean computer, transfer via USB)
   • Run a full system scan in Safe Mode
   • Also run Windows Defender Offline scan
   • Remove all detected threats
3. Clean Startup Programs:
   • Press Ctrl+Shift+Esc to open Task Manager
   • Go to the Startup tab
   • Disable any suspicious programs
4. Check for Persistence:
   • Some ransomware reinstalls itself
   • Restart in normal mode and run scans again to ensure it's gone

Should You Pay the Ransom?

This is a difficult decision. Here's what you should know:

Reasons NOT to pay:

• No guarantee you'll get your files back—about 40% of victims who pay don't receive working decryption keys
• Paying funds criminal operations and encourages future attacks
• You may become a target again since criminals know you're willing to pay
• Payment (usually Bitcoin) is complicated and carries additional risks

When payment might be considered:

• No backups exist and data is critical (business-critical, irreplaceable personal files)
• The ransomware variant is known to provide working decryptors when paid
• No free decryption tools exist for this variant
• The ransom amount is less than the value of the data
• You've exhausted all other recovery options

If you do pay: Consult with cybersecurity professionals first. They can verify the ransomware variant has a track record of providing decryptors and assist with the payment process to maximize chances of recovery.

Prevention for the Future

Ransomware is devastating, but preventable:

• Maintain offline backups - Use the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 offsite/offline
• Keep Windows and all software updated - Many ransomware attacks exploit known vulnerabilities in outdated software
• Use antivirus with real-time protection - Windows Defender or third-party antivirus can block many ransomware attacks
• Enable Windows Controlled Folder Access - This feature protects your files from unauthorized changes. Go to Windows Security > Virus & threat protection > Manage ransomware protection
• Be cautious with email attachments - Don't open attachments from unknown senders, especially .zip, .exe, or Office files with macros
• Don't click suspicious links - Ransomware often spreads through phishing emails
• Use standard user accounts - Don't browse the web or check email with administrator accounts