Ransomware encrypted your files — what to do when Bitcoin demand appears

Cybersecurity & Malware Intermediate 👁 3 views 📅 May 28, 2026

Ransomware encrypts files and demands Bitcoin. Don't pay. Disconnect, identify the strain, then use decryptors or restore from backup.

Quick answer (for advanced users)

Disconnect the machine from all networks immediately. Identify the ransomware strain via the ransom note filename and extension. Check NoMoreRansom for a free decryptor. If no decryptor exists, restore from a clean backup. Never pay — it funds crime and only ~50% of victims get data back, per FBI stats.

What's actually happening here

You clicked a phishing link, opened a malicious macro in a Word doc, or ran a cracked app that dropped a file-encrypting payload. That payload — a ransomware binary — uses strong symmetric encryption (usually AES-256) to lock your files, then encrypts the key with the attacker's RSA-2048 public key. So you can't brute-force it. The Bitcoin demand is the extortion step: you pay, they (maybe) send the private key to decrypt your files. Most strains also delete shadow copies and disable system restore to block easy recovery. This isn't a virus that damages hardware — it's purely a data hostage situation. The trigger is almost always user action: a booby-trapped email attachment (fake invoice, shipping notice) or a drive-by download from a compromised site.

Step-by-step fix

  1. Disconnect everything — unplug Ethernet, turn off Wi-Fi, physically pull the cable. Don't shut down normally (some strains encrypt more on shutdown). Just pull power if needed. This stops the ransomware from encrypting network shares or spreading laterally.
  2. Identify the ransomware strain — look at the ransom note name (README.txt, DECRYPT_INSTRUCTIONS.html, HOW_TO_RECOVER.txt) and the extension added to your files (e.g., .encrypted, .locked, .crypt, .zepto). Common strains: Locky adds .lock, CryptoLocker adds .encrypted, Ryuk renames files completely. Google the exact note text or extension — you'll find strain-specific forums.
  3. Check for a free decryptor — go to NoMoreRansom.org. It's a project by Europol, Kaspersky, and McAfee. Enter the extension or note text. If your strain is there (like CoinVault, CryptXXX, or TeslaCrypt), download the tool, run it on an offline, isolated machine with a copy of your encrypted files. It'll attempt to recover the key. Not all strains have decryptors — older ones do, newer ones (like Ryuk or Sodinokibi) usually don't.
  4. Restore from backup — this is the real fix. If you have a backup on an external drive or cloud (that wasn't connected during the attack), disconnect the infected drive, boot from a live Linux USB (like Ubuntu), mount your backup, and copy files back. For cloud backups like Backblaze or OneDrive, restore from the web interface. If your backup was connected when ransomware hit, it's probably encrypted too — learn that lesson.
  5. If no backup and no decryptor: don't pay — paying encourages more attacks. Only about 50% of victims actually get decryption keys. Report the incident to local law enforcement (FBI IC3 in the US, Action Fraud in UK) — they sometimes have keys from seized servers. Then wipe the drive and reinstall OS. You lost the data. It hurts, but it's safer.

Alternative fixes if the main one fails

If NoMoreRansom has no entry for your strain, try ID Ransomware (submit a sample file or note screenshot). It's a community database that updates faster. Also check BleepingComputer's ransomware forum — researchers sometimes post custom decryptors for newer strains. For very old strains (pre-2016), you can sometimes brute-force the encryption key if it used weak random number generation (like TeslaCrypt v1). That's advanced and requires a hex editor and knowledge of crypto primitives — not for beginners.

Another alternative: use Volume Shadow Copy Service (VSS) if not disabled. On the infected machine, open Command Prompt as admin and type vssadmin list shadows. If any shadows exist, use vssadmin restore shadow /for=C: to revert files. Most modern ransomware (like Locky) deletes VSS explicitly, but older strains (like CryptoWall v1) sometimes miss it.

Prevention tip

The only reliable defense is the 3-2-1 backup rule: three copies of your data, on two different media types, with one copy offsite (cold storage — unplugged USB drive or cloud). Ransomware can't encrypt what it can't reach. Also, disable macros in Office by default (File > Options > Trust Center > Macro Settings > Disable all macros with notification). Block script execution in email attachments via Group Policy (for Windows Pro/Enterprise). And use a DNS filter like Quad9 (9.9.9.9) or NextDNS to block known ransomware C2 domains — blocks the payload before it connects home for the encryption key. No single tool stops every strain, but layered defense makes you a harder target, and attackers move on to easier victims.

Was this solution helpful?

ransomware decryption Bitcoin ransom demand file encryption virus ransomware removal steps decrypt ransomware files ransomware recovery without payment how to identify ransomware strain ransomware backup restore ransomware prevention tips ransomware decryptor tool ransomware infection fix ransomware quarantine files ransomware negotiation risks ransomware crypto virus ransomware data recovery