How to recover from ransomware without paying
If you're reading this because it just happened — your files are locked, there's a note demanding payment, and your stomach is somewhere around your shoes — stop for a second and breathe. You have more options than that note wants you to believe, and paying is the last and worst of them.
I'm a cybersecurity guy in Kentucky, and I've watched people panic-pay a ransom that didn't even get their files back. So here's the honest, step-by-step version of what to actually do — in order. Work through it calmly. Most of these steps cost nothing.
First, right now: cut it off
Before anything else, disconnect the infected machine from everything. Unplug the network cable, switch off Wi-Fi, and pull out any external drives or USB sticks still attached. Ransomware spreads — to other computers on your network, to shared drives, to backups it can reach. Every minute it stays connected is a minute it can encrypt more. Isolating the machine is the single most important thing you can do in the first five minutes.
Don't start deleting files or reinstalling Windows yet. And don't pay. Here's why.
Why paying is the wrong move
It's tempting — you just want your data back. But understand what paying actually buys you:
No guarantee. You're trusting criminals to hand over a working key. Plenty don't, or send a decryptor so buggy it corrupts the files it's supposed to save.
A target on your back. Paying marks you as someone who pays. Repeat attacks on the same victims are common.
You're funding the next attack — on you, or on someone else.
Law enforcement — the FBI and CISA included — is unanimous on this: don't pay. Let's get your data back another way.
Step 1: Document what you're dealing with
Take a photo of the ransom note with your phone. Note the file extension the malware added to your encrypted files (something like .locky, .crypt, or a random string). Keep one or two of the encrypted files set aside. You'll need these to identify the strain — and you'll want the record if you report it.
Step 2: Identify the strain
Different ransomware families need different decryptors, so first you have to know which one hit you. Two free tools do this:
Crypto Sheriff, on the No More Ransom project's site (nomoreransom.org). You upload two encrypted files plus the ransom note, and it tells you which strain you're looking at.
ID Ransomware (id-ransomware.malwarehunterteam.com) does the same thing.
No More Ransom is the real deal — it's run by Europol and national police forces alongside the major security companies, and it's the resource the FBI and CISA point victims to.
Step 3: Look for a free decryptor
Once you know the strain, check whether someone has already cracked it. No More Ransom hosts more than a hundred free decryption tools covering around two hundred ransomware families. If a decryptor exists for your strain, this is how you get your files back without paying a cent.
Two honest cautions:
Only about one strain in three has a free decryptor. Law enforcement releases them when they seize a criminal group's keys or find a flaw in the encryption — but many active strains have neither yet. If there's no tool for yours, that's not the end of the road (keep reading), it just means the next step matters more.
Remove the malware before you run any decryptor, and test the decryptor on copies of a few files first. Run a reputable antivirus to clean the machine, and only download decryptors from the official source — fake "decryptors" are themselves a common scam.
Step 4: Restore from a clean backup — the reliable path
This is the one that actually works, every time, if you have it: wipe the infected machine, reinstall Windows, and restore your data from a backup made before the infection.
The catch — and it's the catch that ruins people — is the words clean and before. Modern ransomware specifically hunts for your backups and encrypts those too. So a backup only saves you if:
It was disconnected or off-site when the attack hit (ransomware can't encrypt a drive it can't reach), and
You can verify it isn't already compromised before you trust it.
If your backup was a USB drive left plugged in, or a cloud folder that just dutifully synced the encrypted versions over your good ones, it may be encrypted too. Check before you rely on it.
Step 5: Report it
Report the attack to the FBI's Internet Crime Complaint Center at ic3.gov and to CISA at StopRansomware.gov. This isn't just civic duty — law enforcement sometimes holds keys for strains that aren't public yet, and reporting is how those get matched to victims. It costs you ten minutes.
Step 6: Clean up and lock the doors
Once your data is safe, don't just go back to normal:
Wipe and reinstall. Don't trust a machine that was compromised. Reinstall Windows from scratch, then restore your verified-clean data.
Change every password — but do it from a different, clean device, since the infected one may have been logging your keystrokes. Turn on two-factor authentication while you're at it.
Patch everything and figure out how it got in (usually a phishing email, a malicious download, or an exposed remote-access port) so you can close that door.
What if there's no decryptor and no clean backup?
I'll be straight with you, because pretending otherwise helps no one: if your strain has no free decryptor and you have no clean backup, your options narrow sharply. Don't delete the encrypted files — keep them. Keys for today's "unbreakable" strains have a way of surfacing months or years later when a group is taken down, and No More Ransom adds new decryptors regularly. Set those files aside and check back periodically.
If this hit a business — especially one holding customer or client data — bring in a professional and consider that you may have legal notification obligations. That's a conversation for a security pro and possibly a lawyer, not a blog post. (And to be clear: nothing here is legal advice.)
Making sure there's no next time
Here's the hard truth this whole guide circles back to: the only thing that reliably beats ransomware is a backup it can't touch and you can trust. Everything else — decryptors, negotiation, recovery tools — is a gamble that depends on luck and the specific strain. A good backup turns the worst day of your year into a two-hour annoyance: wipe, restore, done.
But "a good backup" has to mean three specific things, or it'll fail you exactly when you need it:
It's kept where ransomware can't reach it — an off-site or disconnected copy, not just a drive that lives plugged into the machine it's protecting.
It's verified — you actually know the backup is good and restorable, instead of discovering at the worst moment that it was silently corrupted months ago.
It refuses to overwrite good data with bad — so an encrypted or tampered backup never quietly replaces your clean one.
That last point is exactly the gap I built VaultGuard Backup to close. It fingerprints every backup and checks that fingerprint before it ever restores — so if a backup has been tampered with or encrypted by ransomware, VaultGuard catches it and refuses, instead of handing you back a folder full of locked files. And it keeps multiple restorable versions, so even if your most recent backup ran after the infection, you can roll back to a known-good one.
To be honest about what a backup tool can and can't do: VaultGuard can't undo an attack you've already suffered with nothing to restore from. What it does is make sure you never end up in that position again — that the next time, ransomware is a restore, not a ransom.
If you'd rather not learn this lesson the expensive way, you can try VaultGuard Backup free for 14 days — no credit card. And if you'd like a hand setting up a backup that ransomware genuinely can't reach, that's exactly the kind of thing I help local folks with. Reach out.
David Martin
Information Security Kentucky LLC
Protect. Prevent. Prepare.
Hardin County, Kentucky
This guide is general information for individuals and small businesses, not professional incident-response or legal advice. If you've been hit and you're not sure what to do, getting a security professional involved early is worth it.