Search guides

Fix Windows that has ransomware

We'll help you disconnect, avoid paying, check for decryption tools, and restore from backup—or tell you when to call a pro.

Troubleshooting · Home maintenance
1–4 hours
What you'll need
  • Clean backup (if available)
  • Another device to search for decryption tools
Step 1 of 5

Quick triage — pick your path

Get started

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Steps

Goal: Disconnect, avoid paying, check for decryption tools, and restore from backup.

  • Disconnect from the internet and drives. Do not pay. Check nomoreransom.org for free decryption tools.
  • Good: Decryption tool works or you have a clean backup.
  • Bad: Reinstall Windows. Call a professional.

Disconnect first

Goal: Limit the spread of ransomware.

  • Unplug Ethernet, turn off Wi-Fi, disconnect external drives.
  • Good: PC is isolated.
  • Bad: Disconnect before doing anything else.

Check decryption tools

Goal: See if free decryption is possible.

  • nomoreransom.org. Search for your ransomware. Upload an encrypted file if prompted.
  • Good: Tool available. Download and run it.
  • Bad: Restore from clean backup or reinstall. Call a pro.

When to get help

Call a professional immediately. They can:

  • Assess the ransomware and check for decryption tools.
  • Help with recovery and backup verification.
  • Advise on whether paying is ever appropriate (usually not).

Verification

  • PC is disconnected from network and other devices.
  • You have not paid the ransom.
  • Files decrypted or restored from clean backup.
  • Windows reinstalled if no recovery option.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. Disconnect Unplug network and drives.
  2. Do not pay Do not pay the ransom.
  3. Check nomoreransom.org Search for free decryption tools.
  4. Restore from backup Restore from clean, offline backup.
  5. Reinstall Windows Reset PC; restore from clean backup.
  6. Call a pro Call immediately for assessment.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • Ransomware name or extension
  • Ransom note text or screenshot
  • Whether backup exists and is clean
  • Steps already tried

Is the PC still connected?

Disconnect to limit spread.

Unplug network and drives. Good: Disconnected—identify ransomware. Bad: Disconnect now.

No Yes

You can change your answer later.

Disconnect

Unplug Ethernet, turn off Wi-Fi, disconnect drives.

Done

Is there a decryption tool?

nomoreransom.org has free tools.

Check nomoreransom.org. Search for your ransomware. Good: Tool exists—download and run. Bad: Restore from backup or reinstall.

Yes No

You can change your answer later.

Run decryption tool

Download from nomoreransom.org. Run on encrypted files. Restore from backup if needed.

Done

Do you have a clean backup?

Backup from before infection, stored offline. Good: Reinstall Windows, restore. Bad: Reinstall; files may be lost. Call a pro.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Should I pay the ransom?
No. Payment does not guarantee decryption, funds criminals, and encourages more attacks. Check for free decryption tools first.
Can I decrypt my files without paying?
Sometimes. nomoreransom.org lists free decryption tools for known ransomware. If no tool exists, recovery depends on backup.
When should I call a professional?
Immediately. Ransomware is serious. A professional can assess options, check for decryption tools, and help with recovery.

Rate this guide

Was this helpful?

Continue to