Should I pay the ransom?

No, not as a first move. French (ANSSI, judicial police), US (FBI, CISA) and European (Europol) authorities all advise against paying. Payment doesn't guarantee recovery, funds cybercrime, and marks the victim as profitable for future attacks. Several strains have free decryptors on No More Ransom.

How much time do I have to react?

The faster you cut propagation, the better. Many ransomware encrypts in cascade — first local files, then network shares, then connected backups. Disconnect the network and external drives within minutes of discovery.

My local backups are also encrypted, what now?

Most common scenario — modern ransomware actively targets connected backup drives. Check whether you had a cloud backup with versioning (OneDrive, Backblaze, iDrive): versions prior to encryption are recoverable. Otherwise, hunt for Windows shadow copies not yet destroyed.

How do I identify the ransomware strain?

Note the extension added to encrypted files (e.g. .locked, .crypt, .lockbit) and the README content left by the attackers. Upload an encrypted file + the README to ID Ransomware (id-ransomware.malwarehunterteam.com) — its database recognizes most strains in seconds.

Can recovery software decrypt my files?

No — recovery software doesn't decrypt. What EaseUS Data Recovery can do: find unencrypted copies still present in the disk's free space, in shadow copies, or in temporary files (Office .tmp, Photoshop .psb).

Should I file a complaint?

Yes, always. France: police station or online at cybermalveillance.gouv.fr. United States: IC3.gov. EU: Europol through the national portal. This feeds investigations, can unlock assistance, and is required by most cyber insurance policies.

Recover files after a ransomware attack: 2026 methodology

A full-screen message demands a bitcoin ransom, your documents carry a strange extension (.locked, .lockbit, .crypt), your antivirus has shut off or been disabled. You're facing a ransomware. The next few hours decide what you can recover.

This guide gathers the response methodology applied by CSIRTs and cyber insurers in 2026, adapted to the personal case (a single workstation, not a corporate IS).

Phase 1 — Isolate immediately (first 5 minutes)

Don't try to understand it right away. The ransomware is probably still encrypting.

Unplug the Ethernet cable and disable Wi-Fi (airplane mode).
Remove all external drives and USB sticks. Modern ransomware (Conti, LockBit, BlackCat) actively targets connected media.
If you're on a shared network (NAS, Windows share), warn other users and disconnect them too. Ransomware can spread over SMB.
Don't hard-power-off the PC. Memory may contain the encryption key, exploitable by some forensic tools.

At this stage, active encryption stops (ransomware needs network or disk to continue). Take a breath.

Phase 2 — Document for complaint and decryptors

With another device (phone, second PC), build an evidence file:

Photo of the ransom screen.
Capture of the README filename left by the attackers (often README.txt, HOW_TO_DECRYPT.html, etc.) and its full content.
Note the extension added to encrypted files (.locked, .lockbit3, .crypt, etc.).
Approximate discovery time.
List of programs that were running just before.
Probable origin (email attachment, suspicious link, cracked software update).

These elements support the complaint (required to activate cyber insurance) and strain identification.

Phase 3 — Identify the strain

On the other device, go to id-ransomware.malwarehunterteam.com (project maintained by Michael Gillespie since 2016). Upload an encrypted file + the README. The tool recognizes most strains within seconds.

Once identified, check for a free decryptor on No More Ransom — joint initiative by Europol, the Dutch National Police and several antivirus vendors. The database covers more than 200 strains in 2026, including some widespread families (Phobos, STOP/Djvu — partially, Avaddon, REvil).

If a decryptor exists: follow its instructions to the letter, test first on a copied file (never on the original).

Phase 4 — Restore from a clean backup

The most reliable recovery path, if you had a backup.

Case 1 — Cloud backup with versioning

OneDrive, Google Drive, Dropbox, Backblaze, IDrive and equivalents keep earlier versions of files. Concretely:

OneDrive: web → file → three-dot menu → Version history. Allows restoring the version before encryption.
Google Drive: web → file → right-click → Manage versions.
Backblaze Computer Backup: web interface → Restore button → pick a pre-attack date.
iCloud: limited, doesn't store all versions; check iCloud Drive site.

Restore file by file or in bulk via the services' APIs. Do not reconnect the infected machine to your cloud account until it's cleaned.

Case 2 — Local backup (external drive / NAS)

If you had unplugged the drive between backups, it's likely safe. To check:

On another clean PC, plug the drive in read-only (USB reader with write-protect switch if possible).
Open recent files — if they open normally, the backup is intact.
Wipe and clean-reinstall the OS on the infected PC.
Restore from backup once the OS is rebuilt.

If the external drive was connected during the attack, treat it as potentially encrypted. Scan its content — recent files will likely carry the same extension.

Phase 5 — Recover shadow copies and residual files

Without backup and without decryptor, two paths remain:

Windows shadow copies

Windows sometimes creates shadow copies (volume snapshots) that ransomware tries to delete with vssadmin delete shadows /all. But many miss some partitions or get interrupted.

To check:

Open admin prompt → vssadmin list shadows. If it lists copies, there's hope.
Use ShadowExplorer (free, open source) or EaseUS Data Recovery Wizard to browse shadow copies and restore pre-infection files.

Recovery of temp files and binary signatures

EaseUS Data Recovery Wizard can also scan free disk sectors for unencrypted fragments: Office .tmp files, Adobe autosaves, Photoshop scratch (.psb), photo EXIF thumbnails.

Procedure:

Install EaseUS Data Recovery Wizard on a USB stick or another PC (not on the infected system).
Plug the infected drive in read-only on the clean PC (or boot from a recovery live USB).
Run a deep scan.
Filter by file type (.docx, .jpg, .xlsx) and by date prior to infection.
Restore to a clean drive.

Across the last six tests documented by support community cases, this method recovered 15 to 40 % of content — not ideal, but often better than zero.

★ Éditeur fondé en 2004 · ✓ Garantie 30 jours · Version gratuite jusqu'à 2 Go

Run an EaseUS Data Recovery Wizard scan→

Phase 6 — Reporting, notification and hardening

File a complaint

France: police station or online at cybermalveillance.gouv.fr. Criminal complaint enables cyber insurance.
United States: IC3 report (ic3.gov).
United Kingdom: Action Fraud (actionfraud.police.uk).
EU: Europol via the national portal.

If you process third-party personal data (clients, employees, contacts), a GDPR notification within 72 hours is mandatory in case of probable leak. In France, file with the CNIL.

Rebuild and harden

After the incident, never reconnect an infected system without a clean reinstall. And before back to service:

OS patches up to date, EDR up to date.
3-2-1 backups strictly enforced, including an immutable off-site copy.
Multi-factor authentication everywhere (mail, cloud, remote access).
Office macros disabled by default.
Risky extensions (.exe, .scr, .js, .vbs, .iso, .img) filtered at the mail gateway.

See our Automatic backup Windows / Mac 2026 guide for setting up a ransomware-resistant backup strategy.

Don't pay: why

Authorities (ANSSI, FBI, CISA, Europol) unanimously advise against paying. Reasons:

No recovery guarantee: 1 victim in 4 doesn't receive a working key after payment (Sophos State of Ransomware 2024).
Cybercrime funding: your payment funds the next campaign.
Marked as profitable target: actors share payer lists. Re-infections frequent within 18 months.
Sanctions: paying certain groups (on OFAC, EU, UN lists) can constitute an offense.

Right reflex: restore from backup or decryptor, harden, learn the lessons.

Resources