Should I pay the ransom?

No, not as a first move. French (ANSSI, judicial police), US (FBI, CISA) and European (Europol) authorities all advise against paying. Payment doesn't guarantee recovery, funds cybercrime, and marks the victim as profitable for future attacks. Several strains have free decryptors on No More Ransom.

How much time do I have to react?

The faster you cut propagation, the better. Many ransomware encrypts in cascade — first local files, then network shares, then connected backups. Disconnect the network and external drives within minutes of discovery.

My local backups are also encrypted, what now?

Most common scenario — modern ransomware actively targets connected backup drives. Check whether you had a cloud backup with versioning (OneDrive, Backblaze, iDrive): versions prior to encryption are recoverable. Otherwise, hunt for Windows shadow copies not yet destroyed.

How do I identify the ransomware strain?

Note the extension added to encrypted files (e.g. .locked, .crypt, .lockbit) and the README content left by the attackers. Upload an encrypted file + the README to ID Ransomware (id-ransomware.malwarehunterteam.com) — its database recognizes most strains in seconds.

Can recovery software decrypt my files?

No — recovery software doesn't decrypt. What EaseUS Data Recovery can do: find unencrypted copies still present in the disk's free space, in shadow copies, or in temporary files (Office .tmp, Photoshop .psb).

Should I file a complaint?

Yes, always. France: police station or online at cybermalveillance.gouv.fr. United States: IC3.gov. EU: Europol through the national portal. This feeds investigations, can unlock assistance, and is required by most cyber insurance policies.

Recover files after a ransomware attack: 2026 methodology

A full-screen message demands a bitcoin ransom, your documents carry a strange extension (.locked, .lockbit, .crypt), your antivirus has shut off or been disabled. You're facing a ransomware. The next few hours decide what you can recover.

This guide gathers the response methodology applied by CSIRTs and cyber insurers in 2026, adapted to the personal case (a single workstation, not a corporate IS).

Understand exactly what happened technically

Before acting, taking a minute to understand technically what the ransomware did completely changes the recovery options that remain open. Unfamiliarity with these mechanisms pushes many users to catastrophic decisions in the first hours — immediate format, ransom payment, or worse, restart the machine without precaution.

Modern ransomware generally follows three distinct phases at attack time. Initial phase: it executes discreetly and explores the system to identify connected drives (local, USB, shared network) and estimate the volume to encrypt. Encryption phase: it generates an AES key pair per file (or per folder depending on variant), encrypts each file in place or creates an encrypted copy then deletes the original, then encrypts the AES keys with an RSA public key from the attacker server — that last step is what makes decryption impossible without the private key held by attackers. Visibility phase: it drops ransom notes and changes the wallpaper to be visible.

The critical technical nuance: per-file AES encryption can take several hours on a large machine (200,000 files, 2 TB). If you detect the infection before the process completes, by quickly powering off the machine (hold power button for 10 seconds, not clean Windows shutdown), you can save files that haven't been processed yet. Conversely, if you restart the machine after encryption completes, the ransomware can relaunch a cycle on newly created files since the first pass. The right reaction is never immediate restart.

The other important nuance concerns Windows Volume Shadow Copies. The system mechanism that allows reverting to previous versions of files is targeted as a priority by 95% of modern ransomware — they execute vssadmin delete shadows /all in the first seconds to eliminate this recovery path. But some variants fail partially or forget some volumes (notably unencrypted external drives). Checking for possible surviving shadow copies before touching the system is free and can save hours of work.

Finally, backups connected at the time of the attack are also targeted and encrypted by modern ransomware. If your external backup drive was USB-plugged or your NAS was mounted as a network drive at the time of the incident, consider them compromised until proven otherwise. That's exactly the rationale of the 3-2-1 rule with an offsite or disconnected copy — it's what actually saves you in the ransomware scenario.

Phase 1 — Isolate immediately (first 5 minutes)

Don't try to understand it right away. The ransomware is probably still encrypting.

Unplug the Ethernet cable and disable Wi-Fi (airplane mode).
Remove all external drives and USB sticks. Modern ransomware (Conti, LockBit, BlackCat) actively targets connected media.
If you're on a shared network (NAS, Windows share), warn other users and disconnect them too. Ransomware can spread over SMB.
Don't hard-power-off the PC. Memory may contain the encryption key, exploitable by some forensic tools.

At this stage, active encryption stops (ransomware needs network or disk to continue). Take a breath.

Phase 2 — Document for complaint and decryptors

With another device (phone, second PC), build an evidence file:

Photo of the ransom screen.
Capture of the README filename left by the attackers (often README.txt, HOW_TO_DECRYPT.html, etc.) and its full content.
Note the extension added to encrypted files (.locked, .lockbit3, .crypt, etc.).
Approximate discovery time.
List of programs that were running just before.
Probable origin (email attachment, suspicious link, cracked software update).

These elements support the complaint (required to activate cyber insurance) and strain identification.

Phase 3 — Identify the strain

On the other device, go to id-ransomware.malwarehunterteam.com (project maintained by Michael Gillespie since 2016). Upload an encrypted file + the README. The tool recognizes most strains within seconds. For the full walkthrough and the identification pitfalls, see our ID Ransomware identification guide.

Once identified, check for a free decryptor on No More Ransom — joint initiative by Europol, the Dutch National Police and several antivirus vendors. The database covers more than 200 strains in 2026, including some widespread families (Phobos, STOP/Djvu — partially, Avaddon, REvil). If no public decryptor exists yet, keep the encrypted files: our full methodology in decrypt ransomware without paying lists the remaining avenues (key leaks, vulnerabilities, public release windows).

If a decryptor exists: follow its instructions to the letter, test first on a copied file (never on the original).

Phase 4 — Restore from a clean backup

The most reliable recovery path, if you had a backup.

Case 1 — Cloud backup with versioning

OneDrive, Google Drive, Dropbox, Backblaze, IDrive and equivalents keep earlier versions of files. Concretely:

OneDrive: web → file → three-dot menu → Version history. Allows restoring the version before encryption.
Google Drive: web → file → right-click → Manage versions.
Backblaze Computer Backup: web interface → Restore button → pick a pre-attack date.
iCloud: limited, doesn't store all versions; check iCloud Drive site.

Restore file by file or in bulk via the services' APIs. Do not reconnect the infected machine to your cloud account until it's cleaned.

Case 2 — Local backup (external drive / NAS)

If you had unplugged the drive between backups, it's likely safe. To check:

On another clean PC, plug the drive in read-only (USB reader with write-protect switch if possible).
Open recent files — if they open normally, the backup is intact.
Wipe and clean-reinstall the OS on the infected PC.
Restore from backup once the OS is rebuilt.

If the external drive was connected during the attack, treat it as potentially encrypted. Scan its content — recent files will likely carry the same extension.

Phase 5 — Recover shadow copies and residual files

Without backup and without decryptor, two paths remain:

Windows shadow copies

Windows sometimes creates shadow copies (volume snapshots) that ransomware tries to delete with vssadmin delete shadows /all. But many miss some partitions or get interrupted.

To check:

Open admin prompt → vssadmin list shadows. If it lists copies, there's hope.
Use ShadowExplorer (free, open source) or EaseUS Data Recovery Wizard to browse shadow copies and restore pre-infection files.

Recovery of temp files and binary signatures

EaseUS Data Recovery Wizard can also scan free disk sectors for unencrypted fragments: Office .tmp files, Adobe autosaves, Photoshop scratch (.psb), photo EXIF thumbnails.

Procedure:

Install EaseUS Data Recovery Wizard on a USB stick or another PC (not on the infected system).
Plug the infected drive in read-only on the clean PC (or boot from a recovery live USB).
Run a deep scan.
Filter by file type (.docx, .jpg, .xlsx) and by date prior to infection.
Restore to a clean drive.

Across the last six tests documented by support community cases, this method recovered 15 to 40 % of content — not ideal, but often better than zero.

Editorial pick

4.5 / 5

Run an EaseUS Data Recovery Wizard scan

Founded in 200430-day guaranteeFree 2 GB version

See the offer

Phase 6 — Reporting, notification and hardening

File a complaint

France: police station or online at cybermalveillance.gouv.fr. Criminal complaint enables cyber insurance.
United States: IC3 report (ic3.gov).
United Kingdom: Action Fraud (actionfraud.police.uk).
EU: Europol via the national portal.

If you process third-party personal data (clients, employees, contacts), a GDPR notification within 72 hours is mandatory in case of probable leak. In France, file with the CNIL.

Rebuild and harden

After the incident, never reconnect an infected system without a clean reinstall. And before back to service:

OS patches up to date, EDR up to date.
3-2-1 backups strictly enforced, including an immutable off-site copy.
Multi-factor authentication everywhere (mail, cloud, remote access).
Office macros disabled by default.
Risky extensions (.exe, .scr, .js, .vbs, .iso, .img) filtered at the mail gateway.

See our Automatic backup Windows / Mac 2026 guide for setting up a ransomware-resistant backup strategy. For a business context (SMB, multi-workstation, NAS, Veeam backups), our business ransomware protection 2026 brief covers the extra controls (segmentation, immutability, EDR, recovery drills).

Don't pay: why

Authorities (ANSSI, FBI, CISA, Europol) unanimously advise against paying. Reasons:

No recovery guarantee: 1 victim in 4 doesn't receive a working key after payment (Sophos State of Ransomware 2024).
Cybercrime funding: your payment funds the next campaign.
Marked as profitable target: actors share payer lists. Re-infections frequent within 18 months.
Sanctions: paying certain groups (on OFAC, EU, UN lists) can constitute an offense.

Right reflex: restore from backup or decryptor, harden, learn the lessons.

Resources