Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
You turn on your computer and something is immediately wrong.
Your files have strange extensions. A message fills your screen demanding payment — usually in Bitcoin — in exchange for getting your data back. A countdown timer ticks away. The message threatens that if you don’t pay within 48 hours, your files will be deleted forever.
Your stomach drops.
This is ransomware, and it happens to real people every single day — not just corporations or hospitals. According to the FBI’s Internet Crime Complaint Center, ransomware complaints cost victims hundreds of millions of dollars each year, and that figure only reflects cases that get reported.
Here’s the most important thing to know right now: do not pay the ransom. Not yet. Maybe not ever.
There’s a clear, logical set of steps you can take that give you the best possible chance of recovering your files, limiting the damage, and coming out the other side without handing money to criminals. This guide walks you through all of them, in plain English, one step at a time.
First: Understand What Just Happened
Before you do anything else, it helps to understand what ransomware actually did to your computer — because that knowledge shapes every decision you’ll make next.
Ransomware is malicious software that encrypts your files. Encryption scrambles them using a digital key, making them completely unreadable without the matching decryption key — which the attacker holds. The ransom note is essentially the attacker saying: “Pay us, and we’ll give you the key.”
Most modern ransomware attacks follow a predictable pattern:
- You clicked a link, opened an attachment, or downloaded something that delivered the malware
- The ransomware ran silently in the background, often for minutes or hours
- It encrypted your files — documents, photos, videos, spreadsheets — and renamed them with unfamiliar extensions
- It deleted your system’s “shadow copies” (Windows’ built-in backup snapshots) to limit your recovery options
- It dropped the ransom note on your screen
Understanding this helps you realize something critical: the encryption has already happened. Paying or not paying won’t change what’s been done to your files. What matters now is your recovery path — and that path starts with the steps below.
Step 1: Disconnect From the Internet and Your Network — Immediately
The very first thing you should do — before reading further, before calling anyone, before doing anything — is disconnect your computer from the internet and any network it’s connected to.
Pull the ethernet cable out. Turn off Wi-Fi. If the computer is connected to other devices or a home or office network, disconnect all of it.
Why does this matter so urgently? Because some ransomware variants are designed to spread. Once they’ve encrypted your files, they look for other connected devices — other computers, external drives, network-attached storage — and start encrypting those too. Every second your computer stays connected is a second the damage can expand.
If you’re on a work network, notify your IT department immediately and let them handle network isolation. This is not a moment to feel embarrassed — it’s a moment to act fast.
What to do:
- Unplug ethernet cable
- Disable Wi-Fi (use the physical switch if your laptop has one, or hold the power button to force shutdown)
- Disconnect any external hard drives, USB drives, or cloud sync tools that are actively connected
- If other devices share your network, check them immediately for signs of infection
Step 2: Don’t Turn Off Your Computer (Yet)
This feels counterintuitive. Your instinct is probably to shut the whole thing down. But in many cases, turning off your computer immediately can actually hurt your recovery chances.
Here’s why: some ransomware variants don’t fully complete their encryption process before showing you the ransom note. If the attack is still partially in progress, shutting down mid-encryption can leave files in a corrupt, partially-encrypted state that’s harder to recover. More importantly, cybersecurity professionals can sometimes extract useful information from a live infected system — including potential decryption clues still held in memory.
There are exceptions. If the ransomware is visibly still running and actively encrypting files in real time (you can see files changing rapidly), then a hard shutdown may actually stop further damage. This is a judgment call.
For most people in most situations: leave the computer on, disconnected from the internet, and move to the next steps before touching the power button.
Step 3: Document Everything
Before you do anything that might change the state of your system, document what you’re seeing.
Take photos with your phone of the ransom note — the full screen. Note down:
- The exact text of the ransom message
- Any email addresses or contact details the attackers provided
- The name of the ransomware if it’s mentioned (many ransom notes identify themselves)
- The cryptocurrency wallet address listed for payment
- The demanded amount
- Any deadline shown
This documentation matters for several reasons. You’ll need it if you report the attack to the FBI or your local law enforcement (which you should — more on that below). It also helps cybersecurity researchers identify the ransomware variant, which is the first step toward finding out whether a free decryption tool already exists.
Step 4: Identify the Ransomware Strain
This is potentially the most valuable step in this entire guide, because it could mean the difference between paying nothing and recovering everything.
A project called No More Ransom (nomoreransom.org) — backed by Europol, the Dutch National Police, and major cybersecurity firms — maintains a free database of decryption tools for hundreds of known ransomware strains. Researchers have cracked the encryption on many of them.
To use it:
- Go to nomoreransom.org on a different, uninfected device
- Use their “Crypto Sheriff” tool — upload a sample encrypted file or paste the text from your ransom note
- The tool will try to identify the ransomware variant
- If a decryption tool exists for your strain, you can download and use it for free
This doesn’t work for every ransomware strain. Newer or more sophisticated variants may not have a solution yet. But it costs you nothing to check, and it works more often than most people realize. Before you even think about paying a ransom, spend fifteen minutes on this website.
You can also search for the ransomware name (found in your ransom note or in the new file extensions) plus the word “decryptor” to find solutions published by security researchers.
Step 5: Report It to the Authorities
Most people skip this step because they assume nothing will come of it. That’s understandable — but it’s the wrong call.
In the United States, report ransomware attacks to:
- FBI’s IC3: ic3.gov — the Internet Crime Complaint Center collects ransomware reports and uses them in active investigations
- CISA: cisa.gov — the Cybersecurity and Infrastructure Security Agency has specific ransomware reporting guidance
- FTC: reportfraud.ftc.gov — especially relevant if personal financial data was exposed
Why bother? A few real reasons. Law enforcement agencies have, in multiple cases, tracked ransomware attackers and recovered funds — sometimes even years after an attack. The FBI has seized cryptocurrency wallets from ransomware groups and returned funds to victims. This is rare but it happens, and it only happens when people report.
More practically: if your home business is affected, your insurance may require a police report. And if you work remotely, your employer needs to know about a potential breach.
Step 6: Assess Whether You Have a Backup
Now comes the question that will determine most of what happens next: do you have a backup?
Specifically, do you have a backup that was stored somewhere the ransomware couldn’t reach — an external drive that was disconnected at the time of the attack, a cloud backup service, a network drive that wasn’t connected?
If yes, you’re in a strong position. The recovery path becomes relatively straightforward: wipe the infected drive, reinstall your operating system, and restore from backup. Your data comes back. The attacker gets nothing.
If no — or if your backup was connected and also got encrypted — your options are narrower, but not zero. Here’s your checklist:
- Check cloud services: Did you have OneDrive, Google Drive, Dropbox, or iCloud syncing your files? Many cloud services keep version histories. Log in from a clean device and check whether you can roll back to pre-encryption versions of your files.
- Check for shadow copies: Some ransomware deletes Windows shadow copies, but not all do. A data recovery specialist may be able to retrieve previous versions of files.
- Professional data recovery: Companies specializing in ransomware data recovery exist and have tools beyond what consumers can access. This is expensive and success isn’t guaranteed, but it’s an option worth knowing about.
The brutal truth is that if you have no backup and no cloud history, you may lose some or all of your encrypted files. This is devastating, and we don’t want to minimize it. But it’s also the outcome that motivates having a backup strategy from this point forward — something we’ll address at the end of this guide.
Step 7: Wipe and Reinstall — Don’t Just Remove the Malware
Here’s a mistake a lot of people make: they run an antivirus scan, it finds and removes the ransomware, and they think they’re done.
They’re not.
Ransomware often comes with additional malware — keyloggers, backdoors, remote access tools — that can persist even after the ransomware itself is removed. Some sophisticated variants install themselves in ways that survive a standard malware scan. The only way to be truly certain your system is clean is a full wipe and reinstall.
The process:
- Boot from a USB drive or external media (not your infected hard drive)
- Perform a full format of the infected drive — this erases everything
- Reinstall your operating system from scratch
- Restore your files from a clean backup
- Reinstall your applications fresh
- Update everything immediately before reconnecting to the internet
Yes, this is a hassle. But a partially-cleaned system is a system you can never fully trust. Given that ransomware attackers sometimes maintain persistent access to re-deploy attacks on the same victim, a clean install isn’t paranoia — it’s common sense.
If you’re not comfortable doing this yourself, a local computer repair shop can walk you through it. Make sure they understand the full picture of what happened.
Step 8: So Should You Ever Pay the Ransom?
Let’s address this directly, because it’s the question burning in the back of your mind.
The FBI, CISA, FTC, and virtually every cybersecurity expert on the planet recommend against paying ransoms. The reasons are practical, not just moral:
- There’s no guarantee you’ll get a working decryption key. Ransomware groups are criminals. They have no obligation to honor the transaction, and many don’t.
- It marks you as a target who pays. Paying once often leads to being attacked again. Word circulates in criminal networks.
- It funds future attacks. Every payment makes the next attack on someone else more likely.
- Law enforcement may be watching the wallet. In some active investigations, paying could complicate things legally.
That said — the real world is complicated. For some businesses, irreplaceable data is genuinely worth enormous sums. For individuals who don’t have backups and have critical files at stake, the decision can feel impossible.
If you’re genuinely considering paying, do these things first:
- Exhaust the No More Ransom database
- Consult a cybersecurity professional — some specialize in ransomware negotiation and have gotten demands reduced by 80–90%
- Verify the attacker can actually decrypt your files by asking them to decrypt one sample file before you pay anything
- Never pay before doing all of this
The ransom demand is not your only option. Treat it as the last resort, not the first.
Common Mistakes to Avoid
People under stress make predictable mistakes. Here are the ones that make the situation worse:
Rebooting your computer repeatedly. This can trigger additional malware payloads or cause further file corruption. Avoid it unless you have a specific reason.
Paying immediately in a panic. The countdown timer is a psychological pressure tactic. In most cases, the deadline is fake or extended automatically. Don’t let urgency override logic.
Plugging in your backup drive while the system is still infected. If the ransomware is still active, it will encrypt your backup too. Always isolate the system first.
Assuming your other devices are safe. Check every device that was on the same network. Look for unusual file extensions, slow performance, or locked files.
Not telling anyone. If you use your computer for any work purposes, even freelancing, other people may be affected. Get ahead of it.
How to Make Sure This Never Happens Again
Once you’re through the immediate crisis, the most valuable thing you can do is build a defense that means you never have to go through this again. The good news: it’s genuinely not that complicated.
Back up your files — today, not someday. Follow the 3-2-1 rule: three copies of important data, on two different types of storage, with one stored offline or offsite. An external hard drive that you keep disconnected when not in use is a powerful safeguard. A cloud backup service adds another layer.
Install reputable antivirus with ransomware protection. Windows Defender alone isn’t enough for most users. Look for antivirus software with behavioral detection and protected folder features — these can stop ransomware mid-execution even for strains nobody has seen before. We’ve tested the leading options across exactly these scenarios, and the differences matter.
Keep everything updated. The WannaCry attack infected hundreds of thousands of computers using a vulnerability Microsoft had already patched. The people who got hit simply hadn’t installed the update. Turn on automatic updates for Windows, your browser, and your antivirus.
Learn to spot phishing emails. The majority of ransomware arrives via email. A link that looks legitimate, an attachment from a known sender, a fake invoice — these are the most common entry points. Our phishing protection guide walks through the warning signs in detail.
Check if your data is already on the dark web. Breach data is frequently used to craft targeted attacks. See our guide on checking your breach exposure to find out if your email or credentials have already been compromised.
The Honest Summary
Getting hit by ransomware is one of the most stressful experiences a computer user can face. The ransom note is designed to make you feel like you have no choice, no time, and no options.
That’s not true.
You have steps you can take. You have free resources available. You have a path forward that doesn’t involve handing money to criminals and hoping they keep their word.
Disconnect. Document. Identify. Report. Recover from backup if you have one. Wipe and reinstall. Build better defenses.
And if you don’t have a backup today — make one before you close this tab. It’s the single most powerful thing you can do, and it costs less than an hour of your time.
Frequently Asked Questions
What should I do first if I get ransomware? Disconnect your computer from the internet and your network immediately — unplug the ethernet cable and disable Wi-Fi. This prevents the ransomware from spreading to other connected devices. Do this before anything else, even before reading the ransom note in full.
Can ransomware be removed without paying? In many cases, yes. Ransomware software can often be removed with antivirus tools or a full system wipe. The harder question is file recovery — removing the ransomware doesn’t automatically decrypt your files. Recovery depends on whether a free decryption tool exists (check nomoreransom.org) or whether you have a clean backup.
Does paying the ransom actually get your files back? Not reliably. While some ransomware groups do provide decryption keys after payment to maintain a reputation for “reliability,” many victims pay and receive nothing. The FBI advises against paying in all cases. Payment also makes you a repeat target and funds further criminal activity.
How do I know which ransomware infected my computer? Look at the ransom note — many strains identify themselves. Also check the new file extensions on your encrypted files (for example, .locky, .ryuk, .wncry). Uploading a sample to the Crypto Sheriff tool at nomoreransom.org can identify the strain automatically.
Can ransomware spread to other devices on my network? Yes, absolutely. Some of the most destructive ransomware variants — including WannaCry and NotPetya — were specifically designed to spread across networks. Isolate the infected device immediately and check all other connected devices for signs of infection, including unusual file extensions or locked files.
Will my antivirus remove ransomware after it’s already infected my computer? Antivirus can remove the ransomware program itself, but it cannot decrypt your files — that requires the decryption key or a publicly available decryptor tool. More importantly, running a scan and removing the malware doesn’t guarantee the system is clean. A full wipe and reinstall is the safest path to a trustworthy system.
How can I protect myself from ransomware in the future? Three things matter most: keep offline backups of your important files (the single most effective defense), install antivirus software with behavioral detection and ransomware-specific protection, and learn to recognize phishing emails — the most common ransomware delivery method. Keeping all your software updated is equally critical, as many attacks exploit known vulnerabilities that patches have already fixed.
