Recovering from Encrypting Ransomware

Ransomware is a type of malicious software that either threatens to publish your information or encrypts data and blocks access until a ransom is paid. Most likely your device was infected after clicking a malicious link or opening an infected attachment.

Ransomware is popular with cyber criminals as many people are willing to pay to recover their photos and files and also because the crypto currencies (such as Bitcoin) used to take payment are difficult to trace. 

Encrypting ransomware is the most common and most harmful type of ransomware. With this type you can browse the folders and applications on your device and see your files, but you can’t open them. Often the name of the files have been altered and there is a new file or message which includes a ransom note.

Encrypting ransomware - Do this First!

Before we start trying to remove the ransomware and give you back access to your files it is important to do the following:

  1. Disconnect your device from all other devices and the internet to stop the infection spreading any further. Unplug all other devices such as external hard drives and USBs. Disconnect from the wireless or wired internet connection.

  2. Use a camera or a smartphone to take a picture of the ransom note. This will make sure you have a copy should you have any issues further down the line and help reporting the crime to the police.

Am I going to get my data back? 

Maybe. There are a number of things we can try to recover your files. However, there is no guarantee that you will be able to beat the ransomware.

One thing to consider is that even if you can’t get your files back right now it may be that in future it becomes possible. Cyber experts in the law enforcement and cyber security community often break the code and then share the unlock password, bit this can take weeks or months.

Should I Pay the Ransom? 

Our advice is not to pay the ransom, but this is a tricky area. Paying the ransom funds the criminals and perpetuates ransomware as a form of cyber attack. There is also no guarantee that you will receive the information you need to decrypt your files and once a criminal knows you are good for money you become a future target. 

However, when you need to recover legal, medical or business records, precious family photos or other important files, paying $300 or so looks like a viable option — and most ransomware criminals do unlock the files after ransoms have been paid. So we’d rather stay neutral on the subject of whether paying ransoms is advisable or morally acceptable.

However, as the quote above shows there may be a real need to pay the ransom and take the chance on getting access to your files back. This is a personal decision and will depend on your financial circumstances and the value of the data that is encrypted. Think on this carefully before you start trying the steps below. 

Approaches to Removing Encrypting Ransomware

Depending on the type of ransomware you have there are a number of different ways to try and get your files decrypted. Follow the steps below and stop once you have recovered your files. If you don’t feel confident performing the steps below get help from someone with more IT experience.

In the majority of steps below you will need to use an anti-virus solution to remove the malware from your device. If you don’t have an anti-virus tool on your device then you can download one and scan the device. You may have to start a Windows device in Safe Mode to do this (Safe Mode limits what runs on the computer when it runs and the ransomware will not function).

Note that removing the ransomware will not decrypt the files and once you remove the ransomware you may remove the ability to pay the ransom and recover your files. Only remove the ransomware if you are confident you can get your files back or you are determined not to pay the ransom.

  1. Identify the ransomware type and see if a free unlock key is available – go to the website and follow the steps outlined by the Crypto Sheriff tool. It will ask you to upload two files from your device to the site and it will try and identify the ransomware type. If Crypto Sheriff can identify the ransomware and an unlock key is available it will provide you with the key and a set of instructions.

  2. Recover deleted files – the majority of encrypting ransomware types take a copy of your files, encrypt the copies and then delete the originals. You may be able to recover the deleted (unencrypted) files using an online tool (many are available just Google: ‘tool recover deleted files’).

  3. Restore your files from a back-up – If you have a recent back-up of your device it is great news, but you need to check the ransomware hasn’t also encrypted the back-up files. Check your back-up hard drive or online tool files on a different machine and make sure the files are unencrypted. To ensure you leave no trace of the ransomware you want to fully wipe the drive reinstall the operating system (the software that runs your machine – Windows 10, macOS High Sierra etc.) and then restore the files from back-up (make sure you have the licence keys for software like Microsoft Office etc. before you wipe the drive).

  4. Contact the criminals – If none of the above works and you REALLY need your files back then paying the ransom may be an option form you. The ransom note typically includes an email address for communication. Get in touch and negotiate. Some criminals will take a lower price. However, this really is a last resort and if the files are not time critical then waiting for a free decryption key to become available on may be a good option.

  5. Start again by reinstalling the operating system – if you have nothing of value on the device or you have given up on getting your files back you can start again. Use the 'Factory Reset' feature if available or wipe the disk and reinstall the operating system.

Report the Crime

If you are in England, Wales or Northern Ireland you should report all cyber crime to Action Fraud. In Scotland, you can see details of reporting to Police Scotland here.

How Do I Avoid being infected with encrypting ransomware again?

  1. Back-Up – having a back-up copy of your files is the best way to beat ransomware. Get an external hard drive and do a regular back-up of your device. Make sure you disconnect the external drive after use to make sure it doesn’t get infected too. It is also worth using a cloud service that automatically backs-up your files.

  2. Use a good antivirus solution – this will stop the majority of old versions of ransomware and give you an option to remove quickly if new ransomware gets through.

  3. Do your updates ASAP – when software updates are available do them as quickly as possible. If possible turn on automatic updates. The majority of these updates include security fixes that may stop or limit ransomware.

  4. Trust no one – be extremely careful about clicking links or opening attachments in your email or any other messaging platform. Legitimate email accounts can be hacked and used to send malicious messages and emails can be designed to look exactly like they are from your bank, shop, account etc. Get Safe Online has a good overview of email security here.


To help people like you we rely 100% on donations from people like you.

Without donations we cannot keep our service free and provide help to the most vulnerable victims of cyber crime when they need it most. As a not-for-profit organisation, 100% of your donation goes towards keeping The Cyber Helpline up and running - so 100% goes towards helping people like you. Donate now and help us support victims of cyber crime. 

To help people like you we rely 100% on donations from people like you.