The most obvious signs of a ransomware attack are a sudden inability to open your files, the appearance of unusual file extensions (like .locked or .encrypted), and a pop-up screen or text file (the ransom note) demanding payment to restore access. This is usually when the panic starts, but you must keep your calm, as what you do in the next 60 minutes is critical. The way you conduct your incident response plan and the time it takes will define your business’s reputation and future.
Ransomware attacks are becoming more common, with threat actors even adopting AI technology to target smaller and smaller businesses. So, Proven Data’s internal team of Incident Response experts and ransomware removal specialists collaborated to create this easy-to-follow process to empower you to properly identify the threat and recover your encrypted files.
Important: Every ransomware attack is unique. Factors like industry regulations, network architecture, and the specific malware strain dictate the long-term response and recovery strategy. However, the immediate triage follows universal principles, explained in this guide.
Is it possible to DIY ransomware removal?
The question of whether ransomware removal DIY is possible can be compared to the same question about removing a tooth. Yes, you probably could, but an experienced, qualified professional with the right tools and setting will definitely get the job done much less painfully and with a significantly higher success rate.Â
So, no, do not attempt DIY ransomware removal. As a ransomware removal and decryption specialist, Hassan Faraz, alerts, “With ransomware, you often don’t get a second chance. Treating the attack like a standard IT issue by running scripts, deleting files, or even restarting the machine, can be a catastrophic error. These actions can wipe out the very data fragments or memory keys our DFIR team would use for a successful recovery.”
Even the smallest action (or even inaction) can make data recovery impossible. So before you consider pressing Ctrl-Z or closing a window, follow the protocol in your company’s incident response plan and call your in-house IT cybersecurity expert. If you don’t have that, call Proven Data’s 24/7 support line at 877.364.5161. Meanwhile, following the steps below will increase the chances of a successful data recovery.
Action 1. Isolate the infected device(s) immediately
Unplug the Ethernet cable and immediately disconnect from Wi-Fi. This is the single most important step to stop the ransomware from spreading laterally across your network and encrypting other computers, servers, or cloud backups.
If you are on a company network, disconnect shared drives and immediately disable automated sync services (such as OneDrive or Dropbox) on the infected machine.
 Warning: DO NOT PAY THE RANSOM. There is no guarantee you will get your files back. You are trusting criminals who may take your money and disappear, provide a faulty decrypter, or mark you as an easy target for a second attack.
Action 2. Do NOT turn off or restart the device
This may feel counterintuitive, but it is expert advice. Some ransomware variants keep the decryption key in the computer’s volatile memory (RAM).
Restarting the machine will erase this memory, potentially destroying the only copy of the key and making recovery impossible. Keep the system running, but completely disconnected from the internet and local network.
Action 3. Document everything
Use a separate, clean device (such as your phone) to photograph the ransom note and the screen. Do not rely on screenshots saved to the infected machine, as you may lose access to them. Pay close attention to:
- The Name: The ransomware family (e.g., “LockBit,” “Rancoz,” “Phobos“).
- The Extension: The file extension added to your data (e.g., .locked, .crypted, .enc).
- The Contact: The attacker’s email, TOR link, or payment ID.
This information is vital for identifying the strain and finding a specific ransomware decrypter later.
Note on Compliance: If you handle sensitive data (PII, PHI), now is the time to notify your legal counsel or Data Protection Officer (DPO) to determine whether you need to alert regulatory bodies (such as the FBI or CISA).
Action 4. Attempt safe recovery from backups
Once the threat is contained, your best path to recover encrypted files is a clean, offline backup. This is why a strong 3-2-1 backup strategy is crucial.
Warning: Do not simply connect your backup drive to the infected computer. You risk encrypting your backups, too. Follow this safe restoration checklist:
- Verify: Confirm you have an offline backup dated before the infection timestamp.
- Scan: Connect the backup drive to a separate, clean computer and scan it with updated antivirus software to ensure the backup itself isn’t compromised.
- Wipe: Completely format the infected hard drive and reinstall the OS (Windows/macOS) from a trusted source.
- Restore: Only transfer the verified backup files once the machine is fresh and patched.
Action 5. Check for free ransomware decrypter tools
If you have no backups, your next option is a free decrypter tool. These are tools built by cybersecurity researchers who have successfully cracked the encryption of specific ransomware strains.
- Upload the photos you took and an encrypted file sample to a free identifier tool, such as ID Ransomware.
- Check the No More Ransom Project to see if a public key exists for your specific variant.
Pro Tip: Never download a decrypter from a random forum or an untrusted source, as it may also be malware.
Before you run any tool, copy your encrypted files to a separate drive. A faulty decrypter can permanently corrupt them, making professional recovery impossible.
Action 6. Contact a professional recovery service
Ransomware recovery experts begin by creating a bit-for-bit forensic image of your drive, ensuring that only a clone is used for the decryption, to preserve original evidence and prevent further data loss.Â
Proven Data’s engineers reverse-engineer the specific malware variant to identify encryption flaws. Finally, we use proprietary in-house tools for key extraction and decryption, which often enable us to recover your files.
Because every attack environment is unique, professional responders do not use a ‘one-size-fits-all’ script; we build a custom containment and recovery strategy based on your specific forensic evidence.
You should call a professional if you are in any of these situations:
- You have no backups, or your backups were also encrypted.
- No free decrypter tool exists for your strain.
- You have no technical training or knowledge of cybersecurity.
- The encrypted data is critical to a server or a database.
- The data is simply too valuable to risk losing (e.g., business records, irreplaceable family memories).
Post-recovery check to ensure the security of your system
Getting your files back is only half the battle. The attacker is gone, but their tools (the malware) and entry point (the security vulnerability) may still be in place. Therefore, you must follow a plan to ensure your data safety before using devices and systems again.
- Use a bootable, offline antimalware and antivirus scanner to scan and remove the malware.
- Assume the attackers stole every password saved on the machine and go and change them all. This includes your local admin, email, online banking, and social media passwords.
- Patch your system, browsers, antivirus software, and any other programs you use.
- Use your digital forensics report to understand how the attack happened, then work to prevent new attacks by fixing the vulnerability.
