Device Security

Recover From a Ransomware Infection on Windows

There are three possible recovery paths. Try them in this order.

10 min read · Beginner friendly

Before you start

Do not pay the ransom. There is no guarantee you'll get a working decryptor, paying funds further attacks, and many countries treat payments to sanctioned groups as a crime.

Do not delete the ransom note — you'll need it for identification and decryptors.

Step 1: Isolate

Disconnect the PC from every network: Wi-Fi off, Ethernet unplugged, Bluetooth off.

Disconnect every external drive, USB stick and phone. Some ransomware families spread to backups still plugged in.

If other devices share the same network (work file server, NAS), disconnect them too.

Step 2: Try a free decryptor

On a different device, identify the family at id-ransomware.malwarehunterteam.com, then check nomoreransom.org for a free decryptor for that family.

If a decryptor exists, follow its instructions exactly. Most are run from a clean PC against the encrypted files copied off the infected drive.

If id-ransomware says the family is unknown or the decryptor will not work, move on to step 3 — do not waste days waiting for a fix that may never come.

Step 3: Restore from a clean backup

If you have a backup from before the infection — OneDrive Version History, Google Drive, an external drive that was unplugged at the time, Windows File History — you can recover.

Wipe and reinstall Windows first (Step 4), then restore the files. Do not restore onto the still-infected system.

Step 4: Clean reinstall of Windows

Download the Windows Media Creation Tool from microsoft.com on a different PC and create a USB installer.

Boot from the USB, choose Custom install, delete every partition on the system drive, and install fresh.

Reinstall apps from official sources only.

A factory reset from within Windows may not be enough — some ransomware infects the recovery partition. A USB install over a wiped drive is the safest reset.