What to Do After a Ransomware Attack on Windows

The Problem

Files suddenly have strange extensions, desktop wallpaper demands payment, or apps will not open because documents are encrypted. Ransomware spreads fast across network shares and cloud sync folders. The goal is to stop the bleeding, preserve what you can recover, and avoid paying unless your organization has no other option and legal counsel approves.

Suspect malware but no ransom note yet? Start with remove virus or malware from Windows 11 before files are destroyed.

Symptoms

• README.txt or DECRYPT instructions on the desktop.
• Mass file renames (.locked, .encrypted, random IDs).
• Antivirus disabled and shadow copies deleted.

Immediate Actions (First Hour)

Step 1: Isolate the PC From the Network

1. Unplug Ethernet or turn off Wi-Fi immediately—ransomware hunts mapped drives and OneDrive.
2. Do not reboot yet if you might need memory forensics; home users can reboot into Safe Mode only after disconnecting.
3. Tell anyone on the same network to disconnect shares to that PC.

Step 2: Do Not Pay Immediately

1. Paying does not guarantee decryption and funds more attacks.
2. Photograph the ransom note (phone camera) for IT or police reports—do not click links in the note on a clean machine.
3. Check if it is scareware (fake lock screen)—see fake antivirus and scareware.

Step 3: Identify the Scope

1. List affected drives: local disks, USB, NAS, synced OneDrive / Google Drive folders.
2. Pause cloud sync from another device’s web console so encrypted files do not overwrite good cloud copies.
3. Note when symptoms started—helps find backups from before infection.

Recovery and Cleanup

Step 4: Recover From Backups (Best Outcome)

1. Restore from an offline backup (external drive disconnected during attack) or cloud version history before the infection time.
2. Follow Windows Backup and File History and automatic backups after cleanup.
3. Never restore backups while the PC is still infected—you will re-encrypt them.

Step 5: Scan and Rebuild the System

1. Boot Safe Mode or use another PC to run Microsoft Defender Offline scan.
2. If encryption is widespread, wipe and reinstall Windows is often faster than chasing every persistence key—see clean install Windows 11 and reinstall without losing data only if you have uninfected copies elsewhere.
3. Change all passwords from a clean device—email, banking, Microsoft account—attackers often steal credentials first.

Step 6: Decryptors and Professional Help

1. Check No More Ransom (nomoreransom.org) for free decryptors for known families—only from that official project.
2. Businesses: involve incident response, legal, and cyber insurance; preserve disks for specialists.
3. For partially recoverable files, recover deleted files helps only if shadow copies or unencrypted copies still exist—encrypted files without keys are generally not recoverable.

Prevent Repeat Attacks

• Enable BitLocker on laptops, keep Windows updated safely, and train on phishing and fake downloads.
• Before selling a PC, wipe it properly so old data and malware do not spread.