Restore Files After a Ransomware Infection


A user caught a ransomare infection and some of your Windows file shares have become encrypted.  What do you do now?




  • Shutdown infected devices.  Determine which machines/users have become infected and shut the devices down.  It might be necessary to turn off networking switches, wireless access points, or file servers while the infected machines are located.
  • Reimage infected devices. (Alternatively disallow infected devices from the network and reimage infected devices after the restoration of file shares) (reimage means a full wipe usually a repartition or hard drive format and reinstall of the operating system)
  • Restore normal network operations. If no further damage occurs then continue.
  • Determine the scope of the damage to servers and file shares. Determine which users and shares have become compromised.
  • Determine the strain of ransomware.  Determine any additional steps needed by identified ransomware strain. or
  • Review your available backups.
  • Determine your best course of action for restore of files that were corrupted.
  • Determine attack vector used and add block lists, updates, or policies to stop the same attack vector from being used again.  Train users on how to avoid the same scenario. Based on the time window and user that propogated the virus you can check your web filter logs to determine where the virus came from and block it.
  • Setup Ransomware Detection Service to help with the windows shares auditing and cleanup. After the fact this service will add peace of mind with regards to knowing when your file shares are compromised.   (Not knowing when a file share is corrupted can ruin your response time and available backups)
  • Write a post-mortem report and recommend or make changes to further prevent the next ransomware attack.  (See for further recommendations regarding prevention.)



Restore File Shares After a Ransomware Infection:


Additional Resources:

Before You Pay that Ransomware Demand…

One thought on “Restore Files After a Ransomware Infection

  1. Pingback: How to Prevent Ransomware Infections | Question Driven

Leave a Reply

%d bloggers like this: