If ransomware deleted your files, you may have more options than you think — and the reason is technical. Most ransomware encrypts a copy of your file, then deletes the original. That deleted original may still be sitting in unallocated disk space, unencrypted and recoverable, even if the encrypted version cannot be decrypted. This guide explains exactly how ransomware works and walks through three recovery paths, starting with the fastest.
Part 1. How Ransomware Actually Works: The Encrypt-Then-Delete Mechanic
Most people assume ransomware "locks" their files in place. The reality is different, and understanding it opens recovery options that most victims overlook.
Here is what happens step by step:
- Ransomware reads your original file (e.g.,
report.docx). - It creates an encrypted copy with a new extension (e.g.,
report.docx.locked). - It deletes the original
report.docx. - It repeats across every file it can access.
- It drops a ransom note and, on most modern variants, runs
vssadmin delete shadows /all /quietto destroy Windows Shadow Copies.
Why this matters: When your operating system deletes a file, it does not erase the data immediately. It marks the disk space as "available." On a hard disk drive (HDD), the original, unencrypted file data can remain in that unallocated space for hours, days, or longer — until new data is written over it.
Tip: Stop using the infected drive immediately after an attack. Every write operation risks overwriting the deleted originals in unallocated space. If possible, shut the machine down and work from a disk image or secondary device.
Part 2. Which Recovery Path Should You Try First?
The right starting point depends on your ransomware strain and system state. Use this decision table before taking any action.
| Your Situation | Best First Path | Why |
|---|---|---|
| HDD (not SSD), attack was recent (hours) | Path A — Data recovery software | Deleted originals likely still in unallocated space |
| You know the ransomware strain name | Path B — NoMoreRansom decryptor | Free decryptor may already exist |
| Shadow Copies were NOT deleted | Path C — Windows Previous Versions / VSS | Fastest restore with no tools needed |
| SSD, TRIM enabled, attack was days ago | Path B → Path A | TRIM reduces Path A viability; try decryptor first |
| No backups, SSD, unknown strain | Path B — save encrypted files and wait | Free decryptors are released regularly; patience pays |
Warning: Do NOT pay the ransom before exhausting all three free paths. Payment does not guarantee recovery — and funds criminal operations. The FBI and Europol both advise against payment.
Part 3. Path A — Recover the Deleted Originals from Unallocated Space
This is the path most guides skip entirely. Because ransomware deletes the original files (not just encrypts them), data recovery software can scan unallocated disk space and reconstruct those originals.
When Path A works best:
- You are on an HDD (not an SSD with TRIM active)
- The attack happened recently and the disk has not been written to heavily since
- The ransomware used a simple delete rather than a secure overwrite
Steps:
- Do not write to the infected drive. Connect it as a secondary drive to a clean machine, or create a sector-by-sector image first.
- Run data recovery software and scan the drive for deleted files.
- Filter results by file type (documents, photos, etc.) — look for files dated before the attack.
- Preview and recover files to a separate, clean drive.
Ritridata can scan unallocated space on HDDs and recover deleted files left behind after the ransomware's encrypt-then-delete process. It supports common file types including documents, photos, and videos, and works on Windows.
Tip: Recover files to a different drive than the source. Writing recovered files back to the same infected drive risks overwriting other recoverable data still in unallocated space.
Why SSDs are harder: Most modern SSDs use the TRIM command, which tells the drive to proactively erase deleted blocks. This can clear unallocated space within minutes to hours, making Path A significantly less reliable on SSDs. If you are on an SSD, still attempt Path A — TRIM is not always immediate — but do not count on it.
Part 4. Path B — Use a Free Decryption Tool (NoMoreRansom)
Even if Path A fails or the deleted originals are unrecoverable, the encrypted files may still be decryptable using a free tool.
Step 1: Identify your ransomware strain.
Check the encrypted file extension and the ransom note filename. Then visit ID Ransomware and upload the ransom note or an encrypted file sample — it will identify the strain within seconds.
Step 2: Search for a free decryptor.
Go to NoMoreRansom.org — the official initiative backed by Europol, Interpol, and major security vendors. As of 2025, it offers free decryptors for over 160 ransomware strains.
Ransomware strains with free decryptors (examples):
| Ransomware Strain | Free Decryptor | Provider |
|---|---|---|
| WannaCry | WannaDecrypt | Multiple vendors |
| STOP / Djvu | Emsisoft Decryptor for STOP Djvu | Emsisoft |
| Shade (Troldesh) | ShadeDecryptor | Kaspersky |
| Dharma / Crysis | RakhniDecryptor | Kaspersky |
| CoinVault / Bitcryptor | CoinVaultDecryptor | Kaspersky |
| Maze / Sekhmet | RakhniDecryptor | Kaspersky |
| Babuk | Avast Decryptor | Avast |
| CryptoLocker variants | Multiple tools | Kaspersky / Emsisoft |
Tip: Even if no decryptor exists today, keep your encrypted files. Decryptors are released months or even years after new ransomware variants emerge — either when law enforcement seizes the attacker's servers or when researchers reverse-engineer the encryption. Save encrypted copies to an external drive and check NoMoreRansom periodically.
Part 5. Path C — Restore from Shadow Copy or Windows Backup
Windows automatically creates Volume Shadow Copies (VSS) as part of System Restore and File History. If the ransomware did not delete these, you can restore previous file versions without any external tools.
As one security professional noted on r/cybersecurity:
"The first thing most modern ransomware does is delete Volume Shadow Copies so you can't just roll back —
vssadmin delete shadows /all /quietis practically a ransomware signature at this point."
Path C is therefore less reliable against modern strains — but it is worth checking first because it requires no tools and takes seconds.
How to check:
- Right-click any encrypted file or folder.
- Select Properties → Previous Versions tab.
- If versions are listed, select the most recent clean version and click Restore.
If Shadow Copies are gone, check whether Windows Backup or File History was configured:
- Windows Backup: Open Control Panel → Backup and Restore (Windows 7) → Restore my files.
- File History: Open Settings → Update & Security → Backup → More options → Restore files from a current backup.
- OneDrive / cloud sync: Check your cloud provider's version history — many retain 30–180 days of file versions even after ransomware overwrites local copies.
Part 6. Step-by-Step: Identify Your Ransomware Strain
Knowing the strain is critical for Path B. Here is how to identify it quickly.
Clues to look for:
- File extension: Encrypted files usually gain a new extension —
.locked,.enc,.crypt,.WNCRY,.djvu,.dharma, etc. - Ransom note filename: Common names include
README.txt,HOW_TO_DECRYPT.txt,DECRYPT_INSTRUCTIONS.html,@Please_Read_Me@.txt. - Ransom note content: Usually names the attack or includes a contact email with a domain pattern specific to the group.
Use ID Ransomware:
- Go to ID Ransomware.
- Upload your ransom note file OR one encrypted file sample.
- The tool identifies the strain and links directly to any available decryptor on NoMoreRansom.
A user on r/sysadmin shared practical advice that captures why this step matters:
"Keep the encrypted files — ransomware is often decryptable with free tools later. Zip them and save them somewhere safe."
Part 7. Critical Warning — Mistakes That Make Recovery Impossible
Warning: These actions permanently destroy your recovery chances. Avoid all of them until you have exhausted every recovery path.
| Mistake | Why It Destroys Recovery |
|---|---|
| Paying the ransom immediately | Wastes money; no guarantee of decryption; criminals may not deliver keys |
| Formatting the infected drive | Erases unallocated space — destroys deleted originals permanently |
| Installing new software on the infected drive | Overwrites unallocated space where deleted originals reside |
| Running antivirus on the infected drive before imaging | AV quarantine/deletion writes to disk and may overwrite recoverable data |
| Ignoring encrypted files | If no decryptor exists today, one may exist in 6 months — save them |
Part 8. Recover Deleted Originals with Ritridata
When ransomware deletes the original files as part of its encrypt-then-delete process, those files may still be present in unallocated disk space — and Ritridata is designed to find them.
Ritridata scans drives at the sector level, looking for file signatures in unallocated space that the file system no longer tracks. This approach can recover documents, photos, and other files that were deleted by ransomware before any new data overwrites that space.
Ritridata is suited for this scenario when:
- You are recovering from an HDD (where deleted data persists longer)
- The attack was recent and the drive has not been written to heavily
- You need to recover specific file types (documents, photos, videos)
- You want a Windows-based tool that does not require technical expertise
How to use Ritridata for ransomware recovery:
- Connect the infected drive to a clean Windows machine as a secondary drive (do not boot from it).
- Download and install Ritridata on the clean machine.
- Select the infected drive and run a deep scan.
- Filter results for the file types you need, focusing on files dated before the attack.
- Preview recoverable files and save them to a separate, clean drive.
Tip: Ritridata recovers deleted files — it does not decrypt encrypted files. Use Ritridata to recover the deleted originals (Path A), and use NoMoreRansom tools to attempt decryption of any encrypted copies (Path B). The two approaches are complementary, not competing.
FAQ
Can ransomware-deleted files actually be recovered? Yes, in many cases. Ransomware typically deletes the original unencrypted file after creating an encrypted copy. On HDDs, that deleted original may remain in unallocated space until overwritten. Data recovery software can scan for and recover these files.
Does ransomware always delete Volume Shadow Copies?
Most modern ransomware strains do delete Shadow Copies using the vssadmin delete shadows /all /quiet command. However, some older or less sophisticated strains do not. It is always worth checking Previous Versions before moving to other recovery methods.
Is it safe to run data recovery software on an infected machine? It is safer to connect the infected drive as a secondary drive on a clean machine. Running software on the infected machine itself risks writing to the drive and overwriting recoverable data.
What if there is no decryptor for my ransomware strain? Save your encrypted files to an external drive and check NoMoreRansom.org periodically. New decryptors are released regularly — often months or years after a strain first appears, when law enforcement seizes attacker infrastructure or researchers crack the encryption.
Should I pay the ransom? The FBI, Europol, and security researchers broadly advise against paying. Payment does not guarantee decryption, funds criminal operations, and may make you a repeat target. Exhaust all free options first.
How do I know which ransomware strain attacked me? Check your encrypted file extension and ransom note, then upload them to ID Ransomware. It identifies the strain and links to available decryptors within seconds.
Will reinstalling Windows help? Reinstalling Windows removes the ransomware but does not recover your files. It also does not destroy data in unallocated space on the original drive — data recovery is still possible if the drive is connected to a clean machine afterward.
Why are SSDs harder to recover from? SSDs use the TRIM command, which instructs the drive to proactively erase deleted blocks. This can happen within minutes to hours of file deletion, significantly reducing the window for unallocated space recovery compared to HDDs.
Can I recover files from a formatted drive after ransomware? Formatting makes recovery much harder and is not recommended before attempting data recovery. If a format has already occurred, deep scan recovery may still find some files, but the success rate drops significantly.
What is the No More Ransom project? No More Ransom is a joint initiative by Europol, Interpol, the Dutch National Police, and security companies. It provides free decryption tools for over 160 ransomware strains and is the first place to check before considering payment.
References
- No More Ransom Project — Free ransomware decryptors: https://www.nomoreransom.org/
- ID Ransomware — Ransomware identification tool: https://id.ransomware.malwarehunterteam.com/
- Kaspersky No Ransom — Free decryption tools: https://noransom.kaspersky.com/
- Emsisoft Free Ransomware Decryption Tools: https://www.emsisoft.com/en/ransomware-decryption/
- SentinelOne — Ransomware Data Recovery Strategies: https://www.sentinelone.com/cybersecurity-101/cybersecurity/ransomware-data-recovery/