UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
Windows 11 desktop showing encrypted file warning message and padlock icon overlay on locked documents folder in modern home office setting
Fix It Yourself · Troubleshooting

ransomware file recovery Windows

Updated 7 June 202614 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

Ransomware file recovery on Windows has become the most urgent problem IT teams face right now. The infection happens fast, one dodgy email attachment or a click on a compromised link, and suddenly your files are locked behind encryption with a ransom note demanding payment. The panic sets in immediately. But here's the thing: paying rarely works, and there are several proven methods to recover ransomware file recovery without handing over money to criminals.

TL;DR

If ransomware file recovery is what you need, act fast: disconnect from the network, identify the ransomware type from the file extension or ransom note, check NoMoreRansom.org for a free decryptor, then try Shadow Volume Copies or System Restore. Success rates jump from 10% with quick fixes to 50%+ if you have backups, and 70-90% with professional tools.

⏱️ 14 min read ✅ 45-70% success rate (with backups) 📅 Updated May 2026

Key Takeaways

  • Ransomware file recovery starts with immediate network disconnection to prevent spread
  • Free decryptors exist for many ransomware variants, check NoMoreRansom.org first
  • Shadow Volume Copies and System Restore often recover files with zero additional software
  • External backups and File History are your best insurance against total loss
  • Professional data recovery is your last resort, but costs £500-£3000+ depending on complexity

At a Glance

  • Difficulty: Medium
  • Time Required: 30-60 mins
  • Success Rate: 45-70% of users with backups; 10-20% without

What Causes Ransomware File Recovery Problems on Windows?

Ransomware doesn't just appear. It's deployed through specific attack vectors, and understanding how it gets in helps explain why ransomware file recovery can be so difficult. The most common entry point is phishing emails with malicious attachments, a PDF that looks legitimate but drops ransomware payload the moment you open it. A user opens an invoice, a tax form, or a shipping notification, and within seconds the infection spreads across the entire drive.

Drive-by downloads are equally nasty. You visit a website that's been compromised or patched poorly, and the site's code silently downloads ransomware without any user interaction. Browser vulnerabilities or outdated plugins (Flash, Java, older versions of PDF readers) make this trivially easy for attackers. Even visiting what looks like a legitimate software download site can expose you if it's been hacked or is actually a clone.

Unpatched Windows systems and applications are a goldmine for attackers. A known vulnerability in Windows itself, Office, or any frequently-used software becomes an exploit that ransomware operators use to gain access. This is why Windows updates matter so much, security patches close these doors. But if you've disabled updates or ignored notifications for weeks, you're open to infection.

Weak RDP (Remote Desktop Protocol) credentials or exposed RDP ports create another highway. If your machine is accessible over the internet with a password like "Password123", attackers can brute-force their way in during off-hours and deploy ransomware without any user clicking anything. This is especially common in small businesses that enable remote access carelessly.

And then there's the backup gap. Many users have no backup strategy at all, or their backups are connected to the same network during infection. Ransomware doesn't just encrypt your files, it looks for network drives, NAS devices, and cloud storage that's synced to your machine. If everything is plugged in and accessible, it all gets locked simultaneously.

Ransomware File Recovery Quick Fix

1

Identify Ransomware Type and Search for Free Decryptor Easy

  1. Disconnect immediately.
    Unplug the Ethernet cable or toggle WiFi off. Ransomware spreads to network shares and cloud storage while it's active. Get the machine offline first.
  2. Note the file extension.
    Look at your encrypted files. Most ransomware variants append a unique extension like.mallox,.exploit,.crypt, or.locked. This extension is a fingerprint. If all your docs now end in.badext, that's your first clue about the variant.
  3. Read the ransom note.
    Check your Desktop and Documents folder. Attackers usually leave a text file or HTML file with instructions and sometimes the name of the ransomware family. Open this file in Notepad, it won't hurt, it's just instructions.
  4. Visit NoMoreRansom.org.
    Go to NoMoreRansom.org (run this on a clean computer or phone if yours is too badly infected). Enter the file extension or ransomware name you found. The site aggregates free decryption tools from security vendors like Kaspersky, Emsisoft, and Avast.
  5. Download the decryptor if available.
    If a match is found, download the decryptor directly from the site. Do not use third-party mirrors or sources. Verify the file signature if the site provides one. Run the executable as administrator and follow the on-screen prompts to decrypt your files.
  6. Verify decryption worked.
    Once complete, spot-check a few files. Open a Word doc, PDF, or image. If it opens normally and shows content (not encrypted gibberish), the decryption succeeded.
Success: Files decrypted and accessible. No ransom paid. Move directly to the "Preventing Ransomware File Recovery" section and implement backups immediately.
Not all ransomware variants have free decryptors available. Older or obscure variants may not be listed on NoMoreRansom. If no decryptor is found, proceed to the intermediate solutions below.

More Ransomware File Recovery Solutions

2

Restore from Shadow Volume Copies Medium

  1. Boot into Safe Mode.
    Restart your PC and hold Shift while clicking Restart. Select Troubleshoot, then Advanced Options, then Safe Mode. This loads Windows with minimal drivers and services, which can prevent ransomware from locking you out of recovery tools.
  2. Right-click an encrypted folder.
    Navigate to a folder containing encrypted files (like Documents or Pictures). Right-click it and select Properties.
  3. Navigate to Previous Versions tab.
    In the Properties window, click the Previous Versions tab. Windows lists all available snapshots of that folder from before the infection occurred (if Shadow Copy was enabled).
  4. Select the pre-infection date.
    Look for a version dated before you discovered the encryption. Click it and select Restore. Windows will recover that version of the folder and all its files.
  5. Confirm the restored files are clean.
    Open a few restored files to verify they're readable and not corrupted. If they open normally, the restore worked.
  6. Run a full system scan.
    Before trusting your system, run Windows Security (built-in antivirus) or download Malwarebytes on a USB from a clean computer. Scan the entire drive to ensure no ransomware processes remain active. Many infections persist in memory or hidden registry keys even after file encryption.
Success: Files recovered from shadow copies. System confirmed clean. Proceed to preventive backups.
Shadow Volume Copies are enabled by default on most Windows 10 and 11 systems, but some ransomware variants specifically target and delete shadow copies. If the Previous Versions tab is empty or shows "No previous versions available," the attacker deleted them. Move to the next solution.
3

Use System Restore to Revert to Pre-Infection Checkpoint Medium

  1. Boot into Safe Mode with Command Prompt.
    Restart and hold Shift during boot. Select Troubleshoot, Advanced Options, Safe Mode with Command Prompt.
  2. Open System Restore.
    In the Start menu (or from Command Prompt), type "Create a restore point" and press Enter. The System Properties window opens. Click the System Restore button.
  3. Select a restore point before the infection.
    System Restore shows a list of automatic snapshots. Look for one dated before you noticed encryption. The description often includes Windows update dates or system checkpoint labels. Select the safest-looking pre-infection point.
  4. Confirm and initiate restore.
    Click Next, then Finish. Windows begins reverting system files, drivers, and registry to that snapshot. This can take 15-30 minutes. Your PC will restart automatically.
  5. Log in and verify files.
    After restart, check your Documents, Pictures, and Desktop folders. Files should be restored to their pre-infection state. Open a sample file to confirm it's readable.
  6. Full system scan post-restore.
    Even if System Restore succeeds, run Windows Defender or Malwarebytes to confirm no malware remains. Ransomware sometimes leaves hooks in the registry or startup folders.
Success: System reverted to clean state with files intact. All encrypted files are now decrypted.
System Restore works best if the infection is recent (discovered within 24-48 hours). The longer you wait, the more restore points Windows creates after infection, and older clean snapshots may be overwritten.
4

Restore Files from External Backups Medium

  1. Physically disconnect the backup from the network.
    If you have an external hard drive, USB backup, or NAS, unplug it from the network or disconnect it entirely. Don't reconnect until the primary PC is confirmed clean. Ransomware can spread to any connected drive during active infection.
  2. Connect backup to a clean computer.
    If possible, plug your external backup into a different computer that's not infected (a laptop, family member's PC, etc.). This prevents any residual malware on your primary machine from infecting the backup again.
  3. Scan the backup for malware.
    Before restoring, run a full antivirus scan on the backup drives themselves. Use VirusTotal (online multi-engine scanner at virustotal.com) or Malwarebytes to check for hidden infection.
  4. Copy verified files back to your system.
    Once the backup is confirmed clean, copy your most critical files (documents, photos, financial records) back to your primary PC. Do this selectively, don't restore everything blindly in case some files were already infected before backup.
  5. Re-scan your primary PC after restoration.
    After restoring files, run Windows Defender or a dedicated ransomware removal tool like Kaspersky NoRansom to ensure your system is malware-free before using it normally.
  6. Verify restored files are accessible.
    Spot-check restored documents. Open PDFs, spreadsheets, and photos. All should display correctly without encryption warnings or corruption.
Success: Critical files restored from clean backup. System scanned and verified malware-free.
If your backup was connected to your network or synced to cloud storage (OneDrive, Google Drive) during infection, it may also be encrypted. Check a few files before committing to a full restore. If encrypted, the backup is likely unrecoverable unless a free decryptor exists for that variant.

Advanced Ransomware File Recovery Fixes

5

Run System File Repair and Disk Check Commands Hard

  1. Create Windows Recovery USB on a clean computer.
    Download the Windows Media Creation Tool on a clean PC. Follow the prompts to create a bootable USB recovery drive with Windows installation files. This gives you full command-line access if Windows won't boot normally.
  2. Boot from the USB and access Command Prompt.
    Insert the USB into your infected PC, restart, and press F12 or Esc during boot to enter the boot menu. Select the USB drive. Choose Troubleshoot, then Advanced Options, then Command Prompt. You're now in recovery mode with administrative privileges.
  3. Run System File Checker (SFC).
    Type sfc /scannow and press Enter. This scans all protected Windows system files and repairs corrupted ones automatically. The process takes 10-20 minutes. If it finds and fixes issues, restart and re-scan once more to confirm stability.
  4. Run Disk Check (CHKDSK).
    Type chkdsk C: /f /r (replace C: with your drive letter if different). This checks your disk for bad sectors and logical errors, then attempts to repair them. You'll be prompted to schedule the check on next restart. Agree, restart, and let it run (can take 1-2 hours for large drives). Once complete, you'll return to the login screen.
  5. Check Volume Shadow Copies from command line.
    Back in Command Prompt, type vssadmin list shadows to see all available shadow copies. If many exist (old ones from before infection), you can delete them to free space: vssadmin delete shadows /all. Then use third-party tools to recover files from the oldest remaining copies.
  6. Reinstall Windows if files remain inaccessible.
    If system corruption is severe or ransomware remains after all above steps, perform a clean Windows installation. In recovery mode, type format C: /FS:NTFS /Q to wipe the drive, then install Windows from USB. This eliminates any hidden malware but requires restoring all data from backups afterward.
Success: System files repaired, disk errors fixed, ransomware removed. If using clean install, restore files from verified backup immediately after Windows setup.
Running SFC and CHKDSK can take considerable time and may require multiple restarts. Do this overnight or when you can leave the PC unattended. A full CHKDSK on a 1TB drive can take 2+ hours.
6

Deploy Professional Decryption Tools or Data Recovery Services Hard

  1. Download professional decryption tools if available.
    Beyond NoMoreRansom, vendors like Kaspersky, Emsisoft, and Avast release decryptors for newly-discovered variants. Visit their threat intelligence blogs (Kaspersky Labs, Emsisoft Malware Lab) and search for your ransomware name. If a tool exists, download it to a USB on a clean computer and run on your infected PC as administrator.
  2. Install and execute the decryptor.
    Run the decryption tool, provide the necessary information (encrypted file path, any key or note the ransom message contained if applicable), and let it process your files. Most tools have a preview mode to test decryption on a few files before bulk processing all your data.
  3. Evaluate professional data recovery services if decryption fails.
    If no free decryptor exists and your files are critical (business records, irreplaceable personal data), consider professional recovery. Companies like DriveSavers, Ontrack, and local digital forensics firms can attempt recovery, though costs range from £500 to £3000+ depending on complexity. They have access to threat intelligence databases and advanced recovery techniques unavailable to consumers.
  4. Provide clean system access to recovery experts.
    If you engage a recovery service, ensure they work on a fully isolated PC (not connected to your network). Provide them with external drives or encrypted backups if you have them. They'll analyze the ransomware variant and attempt decryption or file reconstruction using forensic tools.
  5. Request verification and safe file transfer.**
    Before paying professional fees in full, ask the recovery service to verify a small sample of files can be successfully decrypted or recovered. Once confirmed, have them transfer files via encrypted transfer (secure FTP, encrypted USB shipment) rather than email.
  6. Post-recovery, fully re-image your PC.**
    After recovery, wipe and reinstall Windows completely to eliminate any dormant malware. Restore recovered files to the fresh installation and implement strict backup procedures going forward (see "Preventing Ransomware File Recovery" below).
Success: Files recovered by professional service or decryption tool. System fully cleaned and reimaged. Critical data restored safely.
Professional recovery services are expensive and time-consuming, but worth considering only if files are irreplaceable and no other recovery method succeeded. For most users, backups (even simple cloud storage) prevent this scenario entirely.

When to Call Remote IT Support for Ransomware File Recovery

Preventing Ransomware File Recovery Disasters

The best ransomware file recovery strategy is preventing infection in the first place, but backups are your safety net when prevention fails. Most users who lose files to ransomware had zero backup strategy or backups connected during infection. Here's what actually works.

The 3-2-1 backup rule. Maintain at least 3 copies of critical data. Use 2 different storage media types (external hard drive and cloud, for example). Keep 1 copy completely offline or unplugged from your network. This means if ransomware encrypts your PC and network drives, your offline backup remains untouched. External hard drives cost £40-£100 and protect terabytes of data. Not implementing this is like leaving your front door unlocked in a high-crime area.

Enable Shadow Volume Copies.** Windows creates automatic snapshots of your files throughout the day. Right-click your C: drive, select Properties, go to the Protection tab, and ensure protection is enabled for your main drive. This costs zero pounds and creates recovery points every few hours. Many ransomware variants don't know to delete these, making shadow copies the quickest ransomware file recovery method available.

Use File History for ongoing incremental backups.** File History backs up Documents, Pictures, Desktop, and Downloads folders automatically. Open Settings, search "File History", connect an external drive, and enable it. Windows then backs up changed files every hour. If ransomware hits, you restore from File History rather than losing everything. It's built-in and free, zero excuse not to use it.

Check your cloud storage settings.** If you use OneDrive, Google Drive, or Dropbox, ensure only important files sync to your PC. Keep your backup folders (where you store recovery files) set to "online only" or stored on a separate computer entirely. Many users sync their backup folder to their main PC, which defeats the purpose when ransomware encrypts everything on that machine.

Patch Windows and applications ruthlessly.** Most ransomware enters through known vulnerabilities. Enable automatic Windows updates and set Office, Adobe Reader, Java, and browser plugins to auto-update. Uninstall Flash if you still have it, it's been deprecated for years and is a common attack vector. Check CISA.gov weekly for critical vulnerability warnings and patch immediately if your software is affected.

Disable or harden RDP.** If you don't need remote desktop access, disable it entirely. If you do: use a strong password (16+ characters, mixed case, numbers, symbols), enable Network Level Authentication, restrict which accounts can log in remotely, and consider running it on a non-standard port. Better yet, use a VPN to access your PC rather than exposing RDP directly to the internet.

Use antivirus with ransomware behaviour detection.** Windows Defender is competent for basic protection, but dedicated tools like Kaspersky or Emsisoft detect ransomware by monitoring file-system activity (a process suddenly encrypting thousands of files). Behaviour-based detection catches new, unknown variants before they do damage. These cost £30-£50 annually and are worth every penny if ransomware file recovery becomes unnecessary.

Ransomware File Recovery Summary

Ransomware file recovery isn't hopeless, but speed and backups separate successful recovery from total loss. The moment you spot encrypted files, disconnect your PC from the network, identify the ransomware variant, and check NoMoreRansom.org for a free decryptor. If one exists, you'll recover files in minutes without paying a ransom or hiring expensive services. If not, shadow copies and System Restore recover most users' data within an hour. External backups take longer to restore but give you complete control and certainty that files are clean.

The hardest truth: ransomware file recovery becomes irrelevant the moment you implement the 3-2-1 backup rule and enable Windows shadow copies. Thousands of pounds in recovery costs, hours of downtime, and the stress of data loss simply vanish if you spend two hours setting up basic backups today. Don't learn this lesson the hard way.

Frequently Asked Questions

No. Attackers frequently don't decrypt files after payment, and paying funds criminal operations. Law enforcement and security experts consistently recommend against paying ransoms under any circumstances.

Recovery chances drop significantly without backups. Your best option is to find a free decryptor through NoMoreRansom.org or ID Ransomware. If no decryptor exists, professional data recovery services may help, though success depends on the ransomware variant.

Only download decryptors from official sources like NoMoreRansom.org, Emsisoft, Kaspersky, or Avast. Verify the download link and check file signatures before running any executable file.

Yes. Disconnect straightaway upon discovering ransomware to prevent it spreading to network drives, shared folders, and connected devices. Reconnect only after running full antivirus scans and confirming the system is clean.

Ransomware can spread to network drives and cloud storage like OneDrive if they're connected during infection. Check backups for encryption before restoring. If encrypted, they may be unrecoverable unless a decryptor exists for that specific variant.