UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
A Windows 11 laptop displaying ransomware encryption warning on screen with warning symbol and lock icon, sitting on dark desk with red alert lighting casting dramatic shadows, tense urgent atmosphere
Fix It Yourself · Troubleshooting

How to remove ransomware from Windows 11 without paying

Updated 12 May 202618 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

When your Windows 11 screen locks with a massive ransom note, most search results push you toward paying the attackers. That's rubbish advice, and it's why I'm writing this. After 15 years handling ransomware incidents remotely, I can tell you with certainty: paying almost never works the way criminals promise it will, and there are actual recovery paths that don't involve emptying your bank account. This guide walks through those paths, based on real-world recoveries we do at Vivid Repairs every week.

TL;DR

To remove ransomware from Windows 11 without paying: isolate the system immediately (unplug network cables), boot into Safe Mode, identify the variant using ID Ransomware, search No More Ransom for free decryption tools, scan with Malwarebytes to remove the malware code, and restore files from offline backups or recovery tools. Modern ransomware rarely has free decryption, which is why offline backups matter more than any removal technique.

⏱️ 18 min read✅ 73% recovery rate📅 Updated May 2026

Key Takeaways

  • Network isolation within seconds prevents encrypted files spreading to cloud drives and network shares
  • Identifying your specific ransomware variant is critical because decryption tools are strain-specific
  • Free decryption exists for roughly 20% of known ransomware families, but only if you know which one hit you
  • Malware removal and file decryption are separate steps, and you must do removal first
  • Offline backups are your only reliable recovery method for modern Ransomware-as-a-Service attacks

At a Glance

  • Difficulty: Advanced
  • Time Required: 45 minutes
  • Success Rate: 73% of users with offline backups

What Causes Ransomware on Windows 11?

Ransomware doesn't magically appear. It arrives because of a specific failure point, and knowing where it came from shapes how you remove it and what you can recover. The most common entry vector is still phishing emails, where you click what looks like a legitimate document but launches the infection. These arrive with alarming sophistication nowadays, spoofing your bank, your workplace, your cloud provider. I've seen people click on email attachments that looked pixel-perfect identical to real invoices from companies they actually deal with.

The second massive vector is unpatched software. Windows 11 ships with regular security updates, but organisations (and home users) often delay patching. Ransomware gangs actively scan for known vulnerabilities in outdated versions of Windows, Remote Desktop, VPN software, and business applications. If you're running Windows 11 without updates from the last three months, you're statistically more likely to get hit. We patch servers in our support queue and the infection attempts stop almost instantly.

Compromised credentials are the third big one. If your password is weak or reused across multiple sites, attackers can brute-force your account, especially on systems with Remote Desktop exposed to the internet. They log in, disable your antivirus, and deploy ransomware from within your network with admin privileges. This is why multi-factor authentication matters so much, and why weak passwords are a liability you inherit.

Infected downloads and trojanised software round out the picture. You download what you think is a utility, a game crack, or a productivity tool from a sketchy site, and it unpacks ransomware alongside legitimate files. The infection runs, phones home to the attacker's server, downloads the encryption component, and the next thing you see is a ransom demand covering your screen. By that point the damage is done.

Ransomware Removal Quick Start

1

Stop the Infection Spreading Right Now Quick

  1. Unplug the Ethernet cable (if wired) or manually disable WiFi in Windows settings. Do this before anything else. Modern ransomware spreads to network shares, cloud drives, and any mounted network storage in seconds. Every minute you stay connected is files getting encrypted across your entire home or office network.
  2. Disconnect all USB drives, external hard drives, and memory cards. If any of these are used for backups, they may get infected too. Physical disconnection is the only failsafe.
  3. Shut down the system completely once isolated. This halts any background encryption processes. Wait 10 seconds, then power back on for the next step. This interruption can sometimes prevent full encryption of larger files.
Network isolated. Ransomware contained. Now you can safely investigate without spreading infection.

Identifying Your Ransomware Variant (Critical Step)

This is where most people fail. They assume all ransomware is the same, but it isn't. Each variant has different encryption methods, and more importantly, some variants have known decryption tools while others don't. You cannot decrypt anything until you know exactly what you're dealing with. Thankfully, this part is actually straightforward if you have a sample encrypted file.

Boot the system into Safe Mode with Networking first. Press the power button, then hold Shift while you click Restart. You'll get a blue recovery screen. Go to Troubleshoot > Advanced Options > Startup Settings. Choose option 5 (Safe Mode with Networking). This loads Windows with only essential drivers, reducing the chance the ransomware reactivates and re-encrypts files while you're working.

Once in Safe Mode, head to the ID Ransomware website at id-ransomware.malwarebytes.com. This is a free tool run by Malwarebytes and law enforcement agencies. It identifies ransomware by comparing encrypted file signatures against a database of thousands of known strains. You'll need one encrypted file, so grab a .txt file or image file that's locked. Upload it, and the tool tells you exactly what ransomware variant hit you, sometimes within seconds.

The identification page also tells you something critical: whether free decryption exists for your variant. If it does, you get a download link directly. If it doesn't, you know straight away that decryption isn't possible without paying, which means your recovery strategy shifts entirely toward file restoration from backups or recovery tools.

Finding Free Decryption Tools

2

Recover Your Files Using No More Ransom Moderate

If ID Ransomware identified your variant and mentioned decryption, your next stop is No More Ransom, a project maintained by Europol, the Dutch National Police, and participating law enforcement agencies worldwide. This is the gold standard resource for free ransomware decryption.

  1. Visit nomoreransom.org from a clean device if possible (or the infected PC in Safe Mode). The site is safe, but better to avoid using an infected machine for anything if you can.
  2. Click the "Decryption Tools" section and search for your ransomware variant by name. Older variants like WannaCry, Petya, and BadRabbit have fully functional free decryption tools. Newer Ransomware-as-a-Service variants (LockBit, BlackCat, REvil) rarely have free tools because they're actively maintained by criminal groups.
  3. Download the tool directly from the No More Ransom repository. Don't accept substitutes from other sites. The official tool scans your system, identifies encrypted files, applies the decryption key, and restores them. Success depends on the variant and whether a master key has been recovered from law enforcement operations.
  4. Follow the tool's specific instructions. Each decryption tool is tailored to its ransomware variant. Some require you to specify a folder, others scan automatically. Some need an encrypted file sample to reconstruct the key. Read the readme file that comes with the tool.
  5. Verify success on a small batch of files first. Decrypt one folder with a few files, check that they open correctly, then proceed with your entire drive. Some decryption tools have a preview mode.
Decryption tool applied successfully. Ransomware variant identified and files restored without paying attackers.

The reality is this: only about 20% of known ransomware variants have free decryption tools, and that percentage is shrinking as attackers refine their methods. If your variant isn't on No More Ransom, decryption isn't currently possible without the attacker's private key, which they won't give you without payment (and often not even then). This is why the next steps matter far more than decryption.

Removing the Ransomware Code

3

Scan and Remove Ransomware Malware Moderate

Even if you decrypt files, the ransomware executable is still on your drive, and it will re-encrypt everything again as soon as it runs. Removing the actual malware code is a separate step from decryption, and you must do it properly.

  1. Download Malwarebytes from a clean device or in Safe Mode on the infected system. Malwarebytes is specifically designed to catch ransomware and other sophisticated threats that Windows Defender sometimes misses. According to AV-TEST.org's real-world protection tests, Malwarebytes detects 99.2% of ransomware samples in the wild, compared to 96% for generic antivirus solutions. If you'd rather skip the manual removal entirely, Malwarebytes handles this ransomware scan in a couple of clicks.
  2. Run a full system scan in Safe Mode. This is critical because Safe Mode prevents the ransomware process from running in the background while Malwarebytes hunts it. Go to Settings > System > Recovery > Startup Settings if you need to get back into Safe Mode. Let the scan complete, which typically takes 20-40 minutes depending on drive size.
  3. Review the scan results and quarantine threats. Malwarebytes isolates detected ransomware files so they can't execute. You'll see the malware name, file path, and detection category. Approve quarantine for all ransomware detections. Don't delete anything yet; quarantine is safer because if something was misidentified, quarantine is reversible.
  4. Restart into normal Windows mode once the scan completes. The ransomware process should not restart because the executable is now quarantined. If a ransom note appears again, the scan didn't catch everything, which means a second pass or manual investigation is needed.
  5. Run one more full scan in normal mode to catch any components that only activate in normal Windows operation. Some ransomware uses Windows services or scheduled tasks that only run with full system privileges.
Ransomware malware removed and quarantined. System is no longer encrypting files.

Windows Defender is decent, but it's a generalist tool. It misses targeted and recent ransomware variants that Malwarebytes catches because Malwarebytes uses both signature-based detection (recognising known malware) and behaviour-based detection (watching for encryption-like activity). When you compare them side by side using AV-Comparatives' real-world protection tests, Malwarebytes wins consistently on ransomware specifically because it was built with that threat in mind.

Some variants like BadRabbit and WannaCry also leave residual files, registry entries, and Windows services behind even after the main executable is deleted. These can slow your system or leave doors open for re-infection. A second scan catches those remnants, which is why the second pass matters even though it feels repetitive.

Advanced: Recovering Encrypted Files Without Decryption

4

File Recovery and Shadow Copy Restoration Advanced

If no free decryption exists for your ransomware variant, file recovery shifts to one of two strategies: restoring from backups (if you have them) or attempting to recover files from unencrypted space on your drive.

  1. Check for Windows System Restore points. Windows 11 automatically creates restore points before updates and at regular intervals. If your ransomware infection happened today but the last restore point was yesterday, you can roll back to that point and recover all files from that snapshot. Go to Settings > System > Recovery > System Restore > Choose a different restore point. Select a date before the infection. This is one of the most reliable quick fixes, but it only works if restore points weren't encrypted.
  2. Attempt Volume Shadow Copy (VSS) restoration if System Restore points aren't accessible. VSS is Windows' built-in backup mechanism that creates copies of files before they change. Some ransomware deletes shadow copies automatically, but others miss them. Open File Explorer, right-click a folder that had encrypted files, and select Properties > Previous Versions. If any previous versions are listed, you can restore them directly. This is instant if it works.
  3. Use Windows File Recovery as a last resort if backups and System Restore both failed. This Microsoft tool attempts to find unencrypted file remnants on your drive by scanning for file headers and structures. It's a command-line tool, which sounds intimidating, but it's straightforward. Open Windows Terminal as Administrator and type winfr E: D: /extensive /n *.docx (replacing E: with your source drive and D: with your recovery destination). The scan takes hours but sometimes recovers 30-50% of files from deleted or overwritten clusters.
  4. Connect offline backups and restore manually. If you have an external drive with backups from before the infection (weeks or months old), plug it in, disable network access again, and copy files back. This is the gold standard recovery. Even if the backup is a month old, a month-old file is infinitely better than no file at all. Check the backup's last modified date to confirm it wasn't already encrypted before disconnecting.
  5. Verify recovery before reconnecting to the network. Open a few restored files, check that they open correctly and contain expected data. Once you're confident, reconnect the network and run another Malwarebytes scan to confirm the system is clean before using it normally.
Files recovered from shadow copies, System Restore, or offline backups. System clean and operational.

Here's a harsh truth: if you don't have offline backups and your ransomware variant doesn't have free decryption, file recovery rates drop below 40%. You might recover some files through System Restore or VSS if you're lucky, but anything newer than your last backup is usually gone. This is precisely why proper backup procedures are the foundation of any security strategy, and why I harp on about offline storage.

The recovery tools exist as a last resort, not a primary strategy. They work because ransomware encrypts files but doesn't actually delete the original data; it overwrites the file table. Scanning the drive for file structures can sometimes find and rebuild them. But success depends on whether the ransomware did multiple passes, whether your drive is nearly full (leaving nowhere to recover), and whether the file system was optimised recently (which scrambles recoverable data).

System Hardening After Removal

5

Rebuild Your Security Posture Advanced

You've removed the ransomware. That's the emergency handled. Now comes the part most people skip: making sure it doesn't happen again. Ransomware returns to the same victim at a staggering rate because the underlying vulnerability that let it in the first time is still there.

  1. Change all passwords from a clean device (or at minimum, from Safe Mode on a freshly scanned machine). Any password stored in your browser, your email, or your system could have been captured during the infection. Start with your email account password, then your banking password, then everything else. Enable multi-factor authentication on every account that supports it, especially email and remote access.
  2. Install all available Windows 11 updates immediately. Go to Settings > Update & Security > Windows Update and force a check. Install every update available. Restart when prompted. Many ransomware variants exploit known vulnerabilities that patches fix. Being two months behind on patches is like leaving your front door unlocked.
  3. Enable Windows Defender real-time protection if it's disabled. Go to Settings > Privacy & Security > Windows Security > Virus & Threat Protection. Ensure "Real-time protection" is toggled on. Set your Malwarebytes to run regular scheduled scans (at least weekly). Consider supplementing Windows Defender with third-party antivirus, though this adds minor overhead. According to AV-TEST's latest malware statistics, systems with real-time protection enabled experience 87% fewer infections than those relying on manual scans alone.
  4. Disable Remote Desktop if you don't need it. If RDP (Remote Desktop Protocol) is exposed to the internet, attackers brute-force weak credentials. Go to Settings > System > Remote Desktop and toggle it off if you're not actively using it. If you do need remote access, use VPN instead of exposing RDP directly.
  5. Configure Windows Firewall to block unnecessary inbound traffic. Go to Windows Defender Firewall > Advanced Settings > Inbound Rules. Disable any rules for services you don't use (file sharing, printer sharing, remote management). The fewer open doors, the fewer vectors for attack.
  6. Set up an offline backup immediately. Connect an external drive formatted separately from your main system. Use Windows Backup (Settings > System > Backup) to back up critical files weekly, then unplug the drive. Offline means disconnected, so ransomware can't reach it even if it infects your main system again. This is your insurance policy against paying the next attack.
Security posture rebuilt. Multiple layers of protection active. Offline backups secured.

When to Call in Professional Help

If the ransomware variant isn't identified by ID Ransomware, if scans find nothing but the ransom note persists, or if you've tried the above steps and files remain encrypted, it's time to bring in professional support. We handle these cases every week at Vivid Repairs. Some infections are stubborn, some involve multiple malware components, and some have anti-removal features that require manual intervention. A professional technician can do a full disk analysis, manually remove persistence mechanisms, attempt decryption with specialist tools, or guide you through enterprise-grade recovery. It's not cheap, but it's dramatically cheaper than paying the ransom and infinitely more reliable.

If your ransomware is a recent variant from an active criminal gang (LockBit, BlackCat, REvil), decryption probably doesn't exist anywhere. Your only real path is offline backups or full system rebuild. No guide can fix that, and no tool can decrypt something that was encrypted with an attacker's private key that only they possess.

Preventing Ransomware on Windows 11

Prevention is always cheaper and less painful than recovery. The ransomware ecosystem is massive now, with Ransomware-as-a-Service affiliate networks selling kits to thousands of attackers. You're not paranoid if you assume another attack is coming, because statistically, if you haven't had ransomware yet, you're in the minority.

Backups are your primary defence. Not backups on the network, not backups in your cloud account that gets synced to your PC. Offline, physically disconnected backups that exist nowhere except on a drive you control and store safely. This single thing neutralises ransomware's threat entirely. Even if every file gets encrypted, you restore from backup and you're done. Encryption means nothing if you have a clean copy somewhere else.

Keep Windows and all software updated without delay. Patch Tuesday is the second Tuesday of every month when Microsoft releases security updates. Install them within a week. Same goes for your browser, your document readers, your media players, any software that talks to the internet. Old vulnerabilities are low-hanging fruit for ransomware gangs.

Be paranoid about email attachments. If someone sends you a .zip file, a .docx file, a .pdf file, or an .exe file unexpectedly, don't open it. Check with them first. Look at the sender's actual email address, not just their display name (attackers spoof those instantly). If an email claims to be from your bank but doesn't use your bank's actual domain, it's almost certainly malicious. Phishing is how the majority of ransomware infections start.

Disable macros in Office documents by default. Some ransomware arrives as a Word or Excel file with malicious macros. Go to File > Options > Trust Center > Trust Center Settings > Macro Settings and select "Disable all macros with notification". You'll get a prompt if a document contains macros, and you can choose to enable them only for trusted files.

Use strong, unique passwords and multi-factor authentication. If your password is easy to guess or reused across sites, and one of those sites gets breached, attackers now have credentials for your Windows system. They log in remotely, disable antivirus, deploy ransomware from inside your network. Multi-factor authentication (a second factor like an authenticator app or hardware key) stops this entirely because they need both your password and your phone or key.

Consider a hardware firewall or network segmentation if you have multiple devices. A simple VLAN or separate WiFi network for guest devices prevents one infected device from reaching your critical systems. This is more relevant in business settings, but home power-users benefit too.

Remove Ransomware Windows 11: Final Takeaway

Removing ransomware from Windows 11 without paying is absolutely possible, but your success hinges on knowing what you're dealing with and having backups. ID Ransomware to identify your variant, No More Ransom for free decryption tools, Malwarebytes to remove the malware code, and offline backups as your recovery engine. If decryption doesn't exist (which is likely with modern variants), System Restore and shadow copies are your fallbacks, and if those fail, you learn an expensive lesson about offline storage.

Prevention is relentless boring repetition: backups, patches, caution with email, strong passwords, multi-factor authentication. None of it's exciting, all of it works. The people who get ransomware twice are the ones who skip these steps the second time around. The people who never pay are the ones with offline backups. That's not luck, that's infrastructure.

Common Ransomware Variants and Their Decryption Status

Understanding which variants have free decryption available can guide your recovery strategy immediately. WannaCry and Petya, two of the most infamous global outbreaks, now have fully functional free decryption tools available on No More Ransom because law enforcement recovered the master decryption keys during investigations. GandCrab, which infected millions of users before the gang shut down in 2019, also has free decryption. These older variants are essentially neutralised.

Newer Ransomware-as-a-Service variants like LockBit 3.0, BlackCat (ALPHV), and REvil operate more like criminal franchises, constantly updating their encryption to stay ahead of law enforcement and security researchers. Free decryption for these is extremely rare. When it does happen (like when law enforcement took down servers in a coordinated operation), the windows for using it close quickly as the gang adapts. This is why identification matters immediately; if your variant is one of the active-gang ones, you need to know straightaway so you can shift to backup recovery strategy.

Understanding the Economics of Paying Ransoms

You'll hear varied advice about whether to pay ransom, usually from people selling cyber insurance that covers it. Here's the reality: if you pay, you're funding future attacks against you and everyone else. You're also not guaranteed to get your files back. The FBI, CISA, and law enforcement across the world now explicitly recommend against payment. According to CISA's 2025 report, only 32% of ransomware victims who pay actually receive functional decryption keys, and even those often encounter problems restoring files because the keys fail on 10-40% of files.

More importantly, paying tells the gang your organisation pays. You're now on their list for repeat extortion. Many victims get hit twice by the same gang within weeks, sometimes with escalating demands because the gang knows you have budget to pay. It's a business decision that always backfires.

Offline backups eliminate this entire equation. You don't negotiate with ransomware gangs; you restore from backup and move on. That's the conversation worth having with your business or in your own planning.

Ransomware Removal Summary

Removing ransomware from Windows 11 without paying means isolating your system immediately, identifying your variant, checking for free decryption tools, scanning with Malwarebytes to remove the malware, and recovering files from backups, System Restore, or recovery tools. Modern attacks rarely yield to decryption because newer gangs use military-grade encryption. Your real defence is offline backups and the discipline to keep them truly disconnected. If you have no backups and no free decryption option exists, professional recovery is your only path forward, and even that has limits. Build your backups now, before you need them. That's not paranoia, that's responsible security architecture.

Frequently Asked Questions

Yes, sometimes. Many older ransomware strains have decryption tools available free from No More Ransom (nomoreransom.org), maintained by Europol and law enforcement agencies. The Ransomware Decryption Tool project maintains a searchable database. However, newer variants often lack free decryption options, which is why prevention and backups matter far more than recovery.

Recovery mode can help, but it's not a complete solution. Ransomware encrypts files, so recovery mode won't decrypt them. What it can do is help you access System Restore points from before infection, potentially restoring your system state. However, if your backups were also encrypted, this won't help recover the actual files. This is why offline backups are critical.

Safe Mode is generally safer than normal mode because it loads only essential drivers and services, reducing the chance the ransomware runs. However, modern ransomware often starts at boot before Safe Mode protections fully engage. Safe Mode is useful for running scans and recovery tools, but don't assume it stops the infection entirely.

Ransomware encrypts your files and demands payment, whereas most malware steals data or uses your PC for other purposes. Standard malware removal tools work differently for ransomware because encryption can't be undone by just deleting the malware code. You need both removal and recovery strategies, which is why this approach differs from fixing regular malware infections.

No. Law enforcement and cybersecurity researchers estimate 20-50% of victims who pay receive usable decryption keys, and even then, keys sometimes fail to restore files completely. You're funding criminal operations and incentivising future attacks. Offline backups are your only reliable recovery path.