Restore Files After a Ransomware Infection


A user caught a ransomare infection and some of your Windows file shares have become encrypted.  What do you do now?




  • Shutdown infected devices.  Determine which machines/users have become infected and shut the devices down.  It might be necessary to turn off networking switches, wireless access points, or file servers while the infected machines are located.
  • Reimage infected devices. (Alternatively disallow infected devices from the network and reimage infected devices after the restoration of file shares) (reimage means a full wipe usually a repartition or hard drive format and reinstall of the operating system)
  • Restore normal network operations. If no further damage occurs then continue.
  • Determine the scope of the damage to servers and file shares. Determine which users and shares have become compromised.
  • Determine the strain of ransomware.  Determine any additional steps needed by identified ransomware strain. or
  • Review your available backups.
  • Determine your best course of action for restore of files that were corrupted.
  • Determine attack vector used and add block lists, updates, or policies to stop the same attack vector from being used again.  Train users on how to avoid the same scenario.
  • Setup Ransomware Detection Service to add peace of mind with regards to knowing when your file shares are compromised.   (Not knowing when a file share is corrupted can ruin your response time and available backups)
  • Write a post-mortem report and recommend or make changes to further prevent the next ransomware attack.



Restore File Shares After a Ransomware Infection:


Additional Resources:

Before You Pay that Ransomware Demand…

One thought on “Restore Files After a Ransomware Infection

  1. Pingback: How to Prevent Ransomware Infections | Question Driven

Leave a Reply

%d bloggers like this: