Files locked by ransomware demanding Bitcoin? Here's your fix

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 28, 2026

Ransomware encrypts your files and demands cryptocurrency payment. Start with the quickest fix—restore from backup—before trying advanced recovery tools.

Before you start: What's happening and what not to do

You opened a PDF, an email attachment, or maybe you clicked a shady ad. Next thing you know, your files have weird extensions like .encrypted or .locked. A pop-up or a text file on your desktop says your photos, documents, and databases are encrypted. Pay 0.5 Bitcoin (or whatever amount) to get them back. You're panicking. I get it.

Do not pay the ransom. Paying doesn't guarantee you'll get your files back. The attackers might take your money and disappear. Or they might send you a broken decryptor. Or they might hit you again later because you're now a known payer. Also, paying funds more ransomware attacks. So don't do it.

Your real goal: get your files back without paying. Here's the right order to try.

30-second fix: Restore from backup (this is the only reliable fix)

If you have a backup, stop reading and restore it right now. That's it. That's the fix.

What kind of backup works? An external hard drive that wasn't plugged in when the ransomware hit. Or a cloud backup like Backblaze, OneDrive, or Google Drive that keeps version history. If your backup drive was connected when the ransomware ran, it's probably encrypted too. So check that first.

How to restore from a Windows File History backup:

  1. Open Settings (Windows key + I).
  2. Click Update & Security > Backup.
  3. Click More options > Restore files from a current backup.
  4. Browse through the snapshots and pick the files you need. Restore them to a folder on your desktop, not the original location (in case the ransomware is still running).

After restoring, you should see your original files with their original names and extensions. The ransomware-encrypted ones will still be there too, so you can delete those later.

No backup? Don't panic. Move to the next section.

5-minute fix: Disconnect and identify the ransomware

If you don't have a backup, your next step is to stop the ransomware from spreading and figure out what you're dealing with. Some ransomware strains have free decryptors available. Others don't. You need to know which one you've got.

Step 1: Kill the internet and disconnect from the network

Pull the Ethernet cable out of your computer. Or turn off Wi-Fi from the icon in the system tray. If you're on a corporate network, tell your IT person immediately—ransomware spreads across network drives fast.

After disconnecting, your computer is isolated. The ransomware can't encrypt more files or call home to the attacker's server.

Step 2: Check the ransom note for clues

Look on your desktop or in folders where your files were. There's usually a text file or HTML file with names like HOW_TO_DECRYPT.txt or READ_ME.html. Open it. It'll have the attacker's email address and a Bitcoin wallet address.

Write down the exact file extension added to your files (like .enc, .aaa, .crypt). Also note the ransom note's wording. Different ransomware families use specific phrasing. This matters for the next step.

Step 3: Upload a sample to ID Ransomware

Go to id-ransomware.malwarehunterteam.com on another computer (not the infected one). Upload a copy of the ransom note and one encrypted file. The site will analyze them and tell you which ransomware family hit you.

After a few seconds, you'll get a result like "Stop/Djvu" or "Phobos" or "LockBit." Write this down. Some families (like Djvu) have free decryptors. Others (like LockBit) don't. This tells you if you can fix this yourself or if you'll need the advanced step.

15+ minute fix: Try a free decryptor or go nuclear

Here's where you decide: is there a free tool that can decrypt your files, or do you need to wipe the machine and start fresh?

If ID Ransomware says your strain has a free decryptor

Go to NoMoreRansom.org (a legit site run by Europol, Kaspersky, and other security firms). Search for your ransomware family in their decryptor database. Download the tool to a clean USB drive from another computer, then run it on your infected PC.

How to use a decryptor tool (example with Djvu):

  1. Download Emsisoft Decryptor for Stop/Djvu from NoMoreRansom.
  2. Copy the .exe file to a USB drive.
  3. Plug the USB into the infected computer (don't copy the encrypted files—run the tool directly).
  4. Double-click the decryptor. It'll scan your drives for encrypted files.
  5. Click Decrypt. The tool will try to recover your files. This might take 10-30 minutes depending on how many files you have.

After it finishes, check your documents, photos, and databases. If they open normally, you're done. Delete the encrypted copies and the ransom note.

Important: Many decryptors only work if the ransomware had an "offline key" vulnerability. If your ransomware used a unique online key, the decryptor won't work. That's rare for Djvu but possible.

If no free decryptor exists: Wipe and restore

This is the hard truth: some ransomware families (like Ryuk, LockBit, or Maze) have no public decryptor. Your files are gone unless you have a backup. In that case:

  1. Back up the encrypted files to an external drive (just in case a decryptor appears later).
  2. Format your hard drive and reinstall Windows. Use a Windows installation USB from another computer.
  3. After Windows is clean, restore your files from backup (the one you made before the ransomware hit, remember?).
  4. If you don't have a backup, consider using a file recovery tool like Recuva or PhotoRec to try and recover deleted originals. Ransomware sometimes deletes the original files after encrypting them—the originals might still be on the disk if you act fast and don't write new data to the drive. This is a long shot, but it's worth trying.

After you're clean: Prevent it from happening again

You don't want to go through this again. Here's what to do today:

  • Enable Windows ransomware protection. Go to Windows Security > Virus & threat protection > Ransomware protection and turn on Controlled folder access. This blocks apps from changing files in your Documents, Pictures, and other folders unless you approve them.
  • Set up automatic backups. Use Windows File History or a tool like Backblaze. Make sure the backup drive isn't always connected. Schedule backups daily.
  • Keep your software updated. Ransomware often exploits old vulnerabilities in Windows, Java, or Adobe Reader. Install updates regularly.
  • Don't open suspicious attachments. If an email says "Your invoice" and you weren't expecting an invoice, delete it. If a PDF asks you to enable macros, close it.

That's it. Start with the backup restore. If that fails, identify the ransomware. Then try a free decryptor or wipe and rebuild. Don't pay. And for heaven's sake, back up your stuff now. You'll thank me later.

Was this solution helpful?

ransomware fix decrypt ransomware files remove ransomware Bitcoin ransom payment ransomware recovery restore encrypted files ransomware removal guide decrypt files without paying ransomware backup restore stop ransomware spread cryptocurrency ransom ransomware virus removal Windows ransomware fix