What to Do if You Get a Ransomware Warning or Encrypted Files

🔍Immediate Steps: What to Do Right Now

1. Disconnect from the network — unplug ethernet and turn off Wi-Fi. This stops the malware from reaching network shares and other PCs while encryption is still in progress.
2. Do not shut down or reboot — some strains finish encryption or wipe recovery data on restart, and decryption keys occasionally remain in memory.
3. Disconnect external and backup drives — any USB or external drive still attached is a target.
4. Photograph the ransom note and a few encrypted filenames with your phone — the note text and the new file extension are how the strain gets identified.
5. Power off other devices on the same network until the infected machine is isolated.

🔍First, Identify The Strain — It Decides Everything Else

Before you try anything, determine which ransomware family hit you, because that single fact dictates whether recovery is even possible. Upload the ransom note and one encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com). The result splits your situation into one of three outcomes: (1) a known, broken strain — a free decryptor exists and your data is recoverable without backups; (2) a known, unbroken strain — only a clean backup will save you, decryptors are not coming soon; (3) unidentified — treat it as unbroken and rely entirely on backups. Skipping this step is how people waste days on dead-end fixes or pay a ransom when a free tool already existed.

🔍Recovery Options

Option 1: Restore From Backups

If you have backups, this is the cleanest path — but order matters.

1. Do not connect backup media to the infected machine yet.
2. Remove the infection first (see below) or wipe and reinstall Windows.
3. Only then restore, and verify the backup files weren't encrypted before you trust them.

Important: backups that were connected or mapped during the attack may also be encrypted. Cloud storage with version history (OneDrive, Google Drive, Dropbox) can sometimes roll individual files back to a pre-attack version.

Option 2: Free Decryption Tools

If ID Ransomware flagged a broken strain, go to No More Ransom (nomoreransom.org) and use Crypto Sheriff to find the matching decryptor. Also check Emsisoft, Kaspersky, and Avast decryptor pages. Follow the tool's instructions exactly — running the wrong decryptor can corrupt files further.

Option 3: Windows Previous Versions

If shadow copies survived (many strains delete them, but not all), right-click an encrypted file > Properties > Previous Versions. Restore the most recent pre-infection version. Worth trying for critical documents even if it only works for some.

🔍Removing The Ransomware

Recover files only after the infection is gone:

1. Boot into Safe Mode: Settings > System > Recovery > Advanced startup > Restart now, then Troubleshoot > Advanced options > Startup Settings > Restart, then press 4.
2. Run anti-malware scans: download Malwarebytes on a clean PC, transfer via USB, run a full scan in Safe Mode, then run Windows Defender Offline.
3. Check startup persistence: Ctrl+Shift+Esc > Startup tab, disable anything unrecognized; rescan in normal mode.

🔍Should You Pay The Ransom?

Why paying is a bad bet: a significant share of victims who pay never receive a working key, payment funds and encourages the operation, and it marks you as a paying target. The only scenarios where it's even discussed: the data is irreplaceable, no backups exist, no free decryptor exists, and the strain has a documented track record of delivering keys. Even then, involve a cybersecurity professional before sending anything — they can verify the strain's reputation and handle the transaction to maximize the (still uncertain) odds.

🔍Prevention For The Future

• Keep offline backups using the 3-2-1 rule: 3 copies, 2 media types, 1 offline/offsite. A backup that is always plugged in is not a ransomware backup.
• Patch Windows and software — many attacks exploit known, already-fixed vulnerabilities.
• Enable Controlled Folder Access: Windows Security > Virus & threat protection > Manage ransomware protection.
• Be wary of email attachments and links — macro-enabled Office files and unexpected archives are common delivery methods.
• Use a standard (non-admin) account for daily browsing and email.