Restore Files After a Ransomware Infection


A user caught a ransomare infection and some of your Windows file shares have become encrypted.  What do you do now?




  • Determine Scope of the Infection (Is it a worm spreading through the network or a single infected device)
  • Shutdown infected devices or isolate the network of infected devices.  Determine which machines/users have become infected and shut the devices down.  It might be necessary to turn off networking switches, wireless access points, or file servers while the infected machines are located.
  • Determine the potential scope of the damage based on the user that was infected.  (Different users have different permissions to shares, etc.)
  • Reimage infected devices. (Alternatively disallow infected devices from the network and reimage infected devices after the restoration of file shares) (reimage means a full wipe usually a repartition or hard drive format and reinstall of the operating system)
  • Restore normal network operations. If no further damage occurs then continue.
  • Determine the scope of the damage to servers and file shares. Determine which users and shares that have become compromised.  Review file shares, test opening files, audit file shares, test applications, test websites, and test everything that could be compromised.
  • Determine the strain of ransomware.  Determine any additional steps needed by identified ransomware strain. or
  • Research the ransomware and determine what is normally does to a network, files,  applications, operating systems, or a device 
  • Determine if any preventative measures are possible and immediately necessary to prevent a secondary attack by the same virus. (security patches, group policies, permission changes, etc.) 
  • Review your available backups.
  • Determine your best course of action for restore of files that were corrupted.
  • Determine attack vector used and add block lists, updates, or policies to stop the same attack vector from being used again.  Train users on how to avoid the same scenario. Based on the time window and user that propogated the virus you can check your web filter logs to determine where the virus came from and block it.
  • Setup Ransomware Detection Service to help with the windows shares auditing and cleanup. After the fact this service will add peace of mind with regards to knowing when your file shares are compromised.   (Not knowing when a file share is corrupted can ruin your response time and available backups)
  • Write a post-mortem report and recommend or make changes to further prevent the next ransomware attack.  (See for further recommendations regarding prevention.)



Restore File Shares After a Ransomware Infection:


Additional Resources:

Before You Pay that Ransomware Demand…

One thought on “Restore Files After a Ransomware Infection

  1. Pingback: How to Prevent Ransomware Infections | Question Driven

Leave a Reply

%d bloggers like this: