Ransomware attack on windows – How to fix

Published on May 29, 2026 by Fixidia Tech

A ransomware attack on Windows can lock personal files, encrypt important documents, and prevent users from accessing their own data. The first and quickest things you need to be doing/ or not doing are below:

1: Disconnect the Windows PC from the internet
2: Do not pay the ransom immediately
3: Boot Windows into Safe Mode

Victims often see ransom notes demanding payment in cryptocurrency as their photos, videos and work related files get locked. These attacks are capable of traveling through networks and external drives, making immediate action extremely important.

There are several steps you can take to contain the damage, remove the infection, and improve the chances of recovering your system safely.

How ransomware affects Windows computers

Ransomware is a type of malicious software that encrypts the files on your computer and blocks access until a ransom is paid. Most ransomware attacks are executed through phishing emails, fake downloads, malicious ads, or outdated software vulnerabilities.

A ransomware attack on Windows systems can also disable security tools, spread across connected devices, and damage backups if they remain attached to the infected PC.

Step 1: Disconnect the Windows PC from the internet

The first priority is stopping the ransomware from spreading, so quarantine your computer by disconnecting the below:

WiFi connections
Ethernet cables
External hard drives
USB storage devices
Shared network folders

Isolating the infected computer helps prevent additional devices and files on those devices from becoming encrypted.

Step 2: Do not pay the ransom immediately

This isn’t really a step but more like getting prepared for the battle, Many ransomware messages pressure victims into making fast payments.

However, paying attackers does not guarantee file recovery. The criminal can disappear after receiving payment or provide broken decryption tools. They are criminals so before considering any payment, consider other options, identify the ransomware strain and try to fight against it first.

Step 3: Boot Windows into Safe Mode

Now we try things one by one, Safe Mode to start with. It loads only essential Windows services, which should help stop active ransomware processes.

To enter Safe Mode:

Restart the computer
Hold Shift while selecting Restart
Open Advanced Startup Options
Select Safe Mode with Networking

This environment makes malware removal easier in many cases.

Step 4: Run a trusted antivirus or anti-malware scan

Use reputable security software to detect and remove ransomware components. Recommended tools include:

Microsoft Defender
Malwarebytes
Bitdefender

Update the virus definitions if possible before starting a full system scan. Virus definitions are like vaccines, you need as many as possible. Make sure to do a full and complete scan because ransomware attack on Windows may leave behind malicious background services even after encryption stops.

Step 5: Identify the ransomware strain

Different ransomware families use different encryption methods. Look for:

Ransom note filenames
New file extensions
Desktop warning messages

Identifying the ransomware type may help you find free decryptors or recovery tools created by cybersecurity researchers.

Step 6: Restore files from backups

Backups are the safest recovery method after a ransomware attack.

Check whether you have clean backups stored on:

External drives
Cloud storage
NAS devices
Backup software platforms

Before restoring data, ensure the ransomware infection is fully removed from your computer, even if you had to reset your windows, this is to avoid reinfecting recovered files.

Step 7: Use Windows System Restore if available

System Restore may help reverse some system-level changes caused by ransomware.

To access it:

Open Control Panel
Select Recovery
Choose Open System Restore

Pick a restore point created before the infection occurred. By doing this you are basically going to rewind the time on your computer and go to a date from the past that you know was safe and clean. In this case you may loose some data, but loosing some is better than loosing all and also paying money.

Step 8: Check for free decryption tools

Cyber security organizations occasionally release free decryptors for certain ransomware families. Search for decryptors related to your specific infection. Some older ransomware variants contain weaknesses that allow researchers to unlock files without paying attackers.

Unfortunately, newer ransomware strains often use stronger encryption that cannot currently be bypassed.

Step 9: Reinstall Windows if necessary

In severe infections, reinstalling Windows may be the safest option.

Back up any accessible files first, then completely format the drive and reinstall Windows from clean installation media. This removes hidden ransomware components that may survive partial cleanup attempts.

Step 10: Strengthen Windows security afterward

After recovering the system, improve your security to reduce future risks.

Important protections include:

Keeping Windows updated
Using strong antivirus software
Enabling firewall protection
Avoiding suspicious email attachments, very important
Maintaining regular offline backups

Preventive security habits are the best defense against ransomware attacks.

FAQs

What does ransomware do to your PC?

Ransomware encrypts files, blocks access to important data, and demands payment for file recovery. Some variants also steal sensitive information or spread across networks.

Who stopped Wannacry?

The WannaCry ransomware outbreak was partially slowed by cyber security researcher Marcus Hutchins, who discovered a hidden “kill switch” domain that reduced the malware’s spread.

Can Windows detect ransomware?

Modern versions of Windows include security protections through Microsoft Defender, which can detect and block many ransomware threats. However, advanced attacks may still bypass defenses if systems are outdated or users interact with malicious files.