The First 5 Minutes: Stop the Bleeding
When ransomware hits, panic often leads to classic mistakes — frantically Googling on the infected machine, restarting the computer in hopes of a quick fix, or spending 20 minutes explaining the situation instead of acting. Here is the standard incident response protocol you should follow immediately:
Disconnect from the network immediately. Unplug the ethernet cable and disable Wi-Fi. Modern ransomware can encrypt offline, but disconnecting stops the malware from spreading laterally across your network and prevents attackers from exfiltrating your sensitive data for double extortion.
Unplug every external drive. USB drives, external hard drives, and mapped NAS devices are prime targets. If it's plugged in, the ransomware will attempt to encrypt it.
Hibernate or Pull the Plug (Do NOT leave it running). This is critical. Leaving the computer running normally means encryption continues to destroy your files. If you are an IT professional, put the machine into Hibernation. This saves RAM to disk (preserving potential encryption keys for forensic analysis) while stopping the encryption process. If you do not know how to hibernate, pull the power plug immediately. Stopping the active destruction of your hard drive is far more important than theoretical RAM forensics.
Photograph your screen. Don't use keyboard shortcuts to screenshot — use your smartphone. Capture the ransom note and the changed desktop wallpaper. These contain variant identifiers crucial for your recovery strategy.
(For a more detailed emergency checklist, see our ransomware emergency: 5 steps to take right now.)
Identifying What You're Dealing With
The encrypted file extension offers immediate clues about your attacker. Look at one of your affected files to see its new extension:
.lockbitor.lockbit3→ LockBit family (highly active enterprise threat).phobos→ Phobos family (common in SMB RDP compromises).locky,.zepto,.odin→ Locky family (learn more about Locky recovery).blackcat→ BlackCat/ALPHV (sophisticated, modern threat).encrypted,.locked,.crypt→ generic extensions requiring deeper analysis
Next step: go to ID Ransomware on a clean, safe device. Upload one small encrypted file and the ransom note text. The system will identify the specific strain within seconds — this is the crucial first step that unlocks all your recovery options.
Free Recovery Options — Try These First
While free tools may not crack the newest strains, skipping them is a mistake. Law enforcement frequently seizes attacker servers and releases decryption keys to the public. Here's the full toolkit:
NoMoreRansom.org
The most comprehensive free resource. Backed by Europol, FBI, and major security vendors. Covers 100+ ransomware families, updated regularly as law enforcement operations yield new keys.
- Visit nomoreransom.org
- Click "Crypto Sheriff" → upload encrypted file + ransom note
- If matched, download the free decryptor
- Run it on a safely isolated machine
Emsisoft Free Decryptors
Independent security company maintaining free tools for 150+ strains. Worth checking separately — their coverage overlaps with NoMoreRansom but includes unique tools.
→ emsisoft.com/en/home/decryptor
Windows Shadow Copies (Quick Check — Takes 30 Seconds)
Ransomware often attempts to delete these automatic file snapshots, but they sometimes fail — especially if the infection was interrupted early. Worth a look.
Right-click an encrypted file → Properties → Previous Versions tab. If you see versions with dates before the attack, you may be able to restore directly.
System Restore
If System Protection was enabled before the attack and the ransomware didn't disable it:
Search "Create a restore point" in Windows → System Restore → choose a date before infection.
Limitation: This restores system files, not necessarily your data. But it can remove the ransomware itself, which matters for the rebuilding stage.
When Free Tools Don't Work
This is where many guides tell you to either give up or pay the ransom. Neither is the optimal business decision.
Here's the honest picture on paying: roughly 30% of victims who pay never receive working decryption tools. The criminals take the payment and send nothing, send broken tools, or provide only partial decryption. You've also confirmed to a criminal operation that you're a profitable target — expect to be hit again.
What professional ransomware recovery services actually do:
Contrary to what many assume, a legitimate recovery service doesn't just negotiate your ransom. The process:
- Analyze the specific malware variant for known implementation flaws
- Research vulnerabilities and proprietary forensic techniques
- Attempt technical decryption using specialist tools
- Recover deleted shadow backups from unallocated disk space
- Use forensic file carving and data fragment reassembly
- If all else fails — and only as an absolute last resort — assist with secure, compliant ransom negotiation
The success rate difference between paying ransom blindly (50-70%) and using professional services (85-98%) is substantial. Professional services also provide the forensic documentation required for cyber insurance claims and regulatory compliance.
What to look for in a recovery service:
- Free assessment upfront (they'll tell you if recovery is possible before you pay)
- No Data, No Fee guarantee (walk away if they demand payment before results)
- Remote recovery capability (no reason to ship your device anywhere)
- Clear communication about the specific strain and approach
Recovery Path: If You Have Clean Backups
First, verify they're actually clean. Were those drives connected or syncing during the attack? If yes, they may be encrypted too.
Once you've confirmed clean backups:
- Do NOT restore yet
- Clean the infected system completely first (see next section)
- Then restore from backup
Restoring to an infected system means your restored files get encrypted again immediately.
Rebuilding: The Only Safe Way Forward
Once your data is recovered — whether via backups, decryption, or forensics — you cannot simply drop the files back onto the compromised machine. Malware hides in registry keys and scheduled tasks, waiting to strike again.
The only truly reliable cleanup is a fresh Windows installation.
The Clean Slate Protocol:
- Back up all recovered data to a clean, isolated external drive
- Create a Windows installation USB from a completely different, safe computer
- Boot the infected machine from the USB → delete all partitions during setup → fresh install
- Install robust endpoint security software and update the OS before reconnecting to the network
- Restore your files from the clean backup
- Scan restored files before opening them
Change every password — email, admin accounts, banking, anything you accessed on that machine. Assume all credentials were compromised.
The 3-2-1 Backup Rule (Set This Up Before You Need It Again)
If ransomware taught you one thing, let it be this:
3 copies of your data
2 different storage types (e.g., external drive + cloud)
1 copy completely offline and air-gapped
The offline copy is what saves you. Cloud backups sync automatically — which means if ransomware encrypts your local files, it encrypts the synced cloud version too if you're not careful. An offline, air-gapped backup breaks that chain entirely.
Practical setup for a small business:
- Daily: auto-backup to external drive (disconnect after backup completes)
- Daily: backup to cloud (with versioning enabled)
- Weekly: rotate a backup copy to a separate location
(For more on preventing the next attack, see our 9 ways to prevent ransomware.)
FAQ
Should I pay the ransom? It should be your absolute last resort. Beyond the ethical and legal implications, there is a ~30% failure rate — victims pay and receive nothing, or broken tools, or partial decryption. Always exhaust free tools, backup restoration, and professional forensic recovery first.
Can ransomware spread to other computers? Yes — aggressively. It seeks out shared network drives, mapped folders, and other devices on the same network. Immediate physical disconnection is your best defense. Alert your IT team immediately.
How long does professional ransomware recovery take? Common strains: 24-72 hours. Complex cases longer. You'll get a timeline estimate after free assessment.
Can I recover data without paying the ransom? In most cases, yes. While no one can guarantee 100% decryption of military-grade encryption without the key, professional recovery services can often maximize data restoration through proprietary forensics, vulnerability exploitation, and advanced backup recovery — saving clients from paying the ransom in the vast majority of viable cases.
Does cyber insurance cover ransomware? Most cyber policies do, but they require strict adherence to reporting windows and often mandate the use of approved forensic vendors. File your claim immediately — most policies have notification windows that can void coverage if missed.
Quick Reference: Free Decryption Resources
| Resource | URL | Coverage & Purpose |
|---|---|---|
| NoMoreRansom | nomoreransom.org | 100+ strains (law enforcement backed) |
| Emsisoft | emsisoft.com/en/home/decryptor | 150+ strains (independent security) |
| ID Ransomware | id-ransomware.malwarehunterteam.org | Identification only (crucial first step) |
| Kaspersky | noransom.kaspersky.com | 50+ strains (enterprise tools) |
Always run these tools on a safely isolated machine or consult with an IT professional if unsure.
Got a case that free tools can't solve?
Free assessment — we'll tell you exactly what you're dealing with and whether forensic recovery is viable before you pay anything. Based on 12 years of experience and 1,000+ ransomware recovery cases.
- WhatsApp: +852 4666 4940
- Email: IR@ransomrestore.com
- Website: ransomrestore.com
In most cases, we respond within 3 hours.