My files are encrypted by ransomware: what to do RIGHT NOW

You open your PC and see the note. "Your files have been encrypted." The extensions on your documents changed to something unrecognizable — .locked, .crypt, .blackcat, it doesn't matter which. The antivirus is silent or disabled. A Bitcoin address is on the screen.

The instinct is to panic, then figure out how to pay. That's exactly what the attackers are counting on.

Here's the truth: paying first is almost never the right call. There are steps to take before that — and some of them can recover a meaningful portion of your data for free. This guide gets to the point.

DON'T PAY YET — here's why and what to do first

Fewer than 50% of victims who pay recover all their files, according to FBI and Europol data from 2025. Some receive a broken decryption tool. Others receive nothing. And those who pay once become high-priority targets — criminal groups actively share these lists.

Authorities — the FBI, CISA, Europol, and UK's NCSC — all recommend against paying, at minimum until you have:

1. Checked whether a free decryptor exists for your strain
2. Assessed the state of your backups
3. Attempted to recover what can be recovered

This isn't optimism. It's method.

Step 1 — Isolate the machine (do this now, before reading further)

Before anything else, if you haven't already:

• Unplug the Ethernet cable
• Enable airplane mode (or disable Wi-Fi manually)
• Remove all external drives, USB sticks, SD cards
• If you're on a shared network (NAS, Windows shares): warn other users immediately

Modern ransomware — LockBit, BlackCat/ALPHV, Conti, Akira — encrypts in cascades: local files first, then network shares, then connected backups. Every second the machine stays online extends the damage.

Don't restart. Don't force a shutdown. RAM can contain the encryption key, exploitable by forensic tools in rare but real cases. And a restart on a still-active system can trigger a second encryption pass on files created since the first run.

Step 2 — Identify the strain (5 minutes, free)

Identifying the ransomware is the step most people skip — and the one that changes everything.

On a clean device (phone, second PC), go to id-ransomware.malwarehunterteam.com. Upload:

• The README or HOW_TO_DECRYPT file left by the attackers
• One encrypted file (any file)

The database recognizes over 1,300 strains within seconds. It identifies the ransomware family and, crucially, tells you whether a free official decryptor exists.

Then check nomoreransom.org — the official portal co-managed by Europol, the Dutch National Police, Kaspersky, and McAfee. Over 160 free decryption tools cover approximately 200 families. Major strains including STOP/Djvu (offline keys), GandCrab, Shade, Avaddon, some REvil variants, and Babuk keys leaked after server seizures are all decryptable for free.

For a deeper dive on this step, our complete ID Ransomware identification guide walks through how to read the results and what to do for each strain outcome.

Step 3 — Recover what can be recovered

If no decryptor exists for your strain, there are still concrete options before considering payment or accepting the loss.

Previous versions and Windows Shadow Copies

Windows maintains silent snapshots called Volume Shadow Copies (VSS). Modern ransomware attempts to delete them automatically with vssadmin delete shadows /all — but this command sometimes fails partially, especially on secondary volumes or recently connected drives.

To check: right-click on an affected folder > Properties > Previous Versions tab. If versions appear, they predate the encryption.

Unencrypted originals in free space

Here's the mechanism most people don't know about: ransomware typically encrypts each file by creating an encrypted copy, then deleting the original. But deletion on a mechanical or SSD drive doesn't immediately destroy the data — it just marks the space as available. As long as nothing has been written to that location, the originals are recoverable.

This is exactly where data recovery software legitimately helps.

Application temp files

Office (Word, Excel) and Photoshop create temp files during editing (.tmp, .psb, .asd). These are frequently missed by ransomware because their extensions don't match primary encryption targets. A deep scan can find them.

How to use EaseUS

Connect the infected drive read-only to a clean PC (via USB, without letting Windows mount it in read-write mode). Launch EaseUS Data Recovery Wizard, select the drive, run a deep scan. The tool searches for deleted originals in free space, partial shadow copies, and intact temp files.

Preview the results before purchasing. If your critical files appear in the list, recovery is viable. If the drive has seen significant writes since the attack (multiple restarts, new installations), the odds decrease.

Cloud backups with versioning

If you were using OneDrive, Google Drive, Backblaze, or iDrive at the time of the attack, check your version history. These services typically retain 30 to 365 days of prior versions depending on your plan. The encrypted files were synced, but the previous unencrypted versions are accessible through the web interface.

FAQ

Should I pay the ransom?

No — not as a first step. The FBI, CISA, Europol, and NCSC all recommend against it. Fewer than 50% of victims who pay recover all their files. Payment funds future attacks and signals you as a reliable payer. Work through the free recovery options above first.

How do I prevent the next ransomware attack?

Effective protection comes down to three pillars. Regular disconnected backups following the 3-2-1 rule — an external drive unplugged after every backup is immune to any ransomware. Updates applied quickly — the majority of ransomware attacks exploit vulnerabilities known for over 90 days by the time of the attack. Email caution — Office attachments with macros and fake "package tracking" links remain the dominant entry vectors. Our 3-2-1 backup strategy guide shows you how to set this up for good.

My local backups are also encrypted. Is everything really gone?

Not necessarily. Check two things: first, cloud backups with versioning if you had one active (pre-encryption versions remain accessible via the web interface). Second, Windows Shadow Copies as described above. If both are unavailable and no decryptor exists, partial recovery through software is still possible for originals deleted before the encrypted copies were written.

Should I file a police report?

Yes, always. In the US: IC3.gov (FBI's Internet Crime Complaint Center). In the UK: actionfraud.police.uk. In France: cybermalveillance.gouv.fr or your local police station. These reports feed ongoing investigations and have directly contributed to server seizures that later unlocked free decryption keys — Hive, Ragnar Locker, and multiple Conti variants were taken down this way.

For a full breakdown of available decryptors and their success rates by strain, see our complete guide to decrypting ransomware without paying.