Fix 'Access Denied' on encrypted files after ransomware attack

30-second fix: Take ownership of the file or folder

Ransomware often strips your user account's permissions. The quickest way back in is to take ownership. Don't bother with the GUI — it's slow and flaky here. Use the command line.

1. Right-click the affected file or folder and copy its full path.
2. Open Command Prompt as Administrator. Not PowerShell for this one — takeown works more reliably in CMD.
3. Run:

   takeown /f "C:\Users\You\Documents\encrypted_file.docx"

4. Then grant yourself full control:

   icacls "C:\Users\You\Documents\encrypted_file.docx" /grant %USERNAME%:F

If you're dealing with a whole folder tree, add /r /d y to takeown and /t to icacls. This recursive trick works 80% of the time. Still locked out? Move to the next step.

5-minute fix: Reset the security descriptor with icacls

The culprit here is almost always a corrupted or maliciously set security descriptor. The ransomware didn't just encrypt your files — it nuked the ACLs. Here's how to force a reset.

1. Open Command Prompt as Administrator.
2. Run this to reset permissions to default for the entire folder:

   icacls "C:\Users\You\Documents" /reset /t /q /c

   The /q suppresses success messages, /c keeps going on errors, and /t recurses.
3. Then re-apply your ownership:

   takeown /f "C:\Users\You\Documents" /r /d y

   icacls "C:\Users\You\Documents" /grant %USERNAME%:F /t

4. Still seeing the error? The file might be marked as read-only or hidden. Run:

   attrib -r -h -s "C:\Users\You\Documents\*.*" /s /d

This resets file attributes too. The /s flag handles subfolders. I've seen this work on files that wouldn't even let the Administrator touch them.

15+ minute fix: Registry edit to force take ownership

If the above fails, something deeper is corrupt. The ransomware may have modified the default owner or disabled the Administrator's ability to take ownership. You'll need a registry tweak.

Backup your registry first — export the whole thing or at least the key we're touching. I've seen rookies brick systems skipping this.

1. Press Win + R, type regedit, hit Enter.
2. Navigate to:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

3. Look for a DWORD called EnableLUA. If it's set to 1, change it to 0. This disables UAC temporarily. Reboot.
4. After reboot, you should be running as full Administrator. Repeat the takeown and icacls commands from step 1. They'll work now because there's no UAC stripping your rights.
5. Re-enable UAC by setting EnableLUA back to 1 and reboot.

Disabling UAC is a blunt tool. Don't leave it that way — your system becomes vulnerable. But for stubborn ransomware permission locks, it's your trump card.

Bonus tip: Check for file system errors first

Before any of these steps, run chkdsk /f on the drive. If the ransomware corrupted the MFT or NTFS metadata, permissions can look broken when they're really a disk issue. I've wasted 30 minutes on ownership fixes that chkdsk could have solved in 2.

chkdsk C: /f /r

You'll need a reboot for this. Let it run — it can take hours on large drives. After it finishes, try opening the files again. If they're still denied, proceed with the fixes above.

When to give up on this approach

If the ransomware encrypted the file contents (not just permissions), no amount of ownership fixing will help. Look at the file extension — if it's been renamed to something like .encrypted, .locked, or a random string with a specific ransom note, you're dealing with true encryption. In that case, your only options are:

• Restore from backup (external, cloud, or Volume Shadow Copy if it survived).
• Use a decryption tool from NoMoreRansom.org if the ransomware variant is known.
• Wait — law enforcement sometimes releases master keys for specific strains.

Paying the ransom funds criminals and rarely works. I've seen victims pay and get nothing. Stick with the fixes above for permission issues. They're free, fast, and work more often than you'd think.