If your system has been hit by ransomware encrypted files and you're asking whether to recover first or clean first, the honest answer is: it depends on your situation. The right sequence varies based on whether the ransomware is still active, whether your system is stable, and whether your Volume Shadow Copies survived. This guide gives you a structured decision framework to follow — and covers the critical step most victims miss entirely.
Part 1. The Decision Framework — Your Situation Determines the Order
Not every ransomware scenario calls for the same response. The table below maps your situation to the recommended action sequence.
| Situation | Recommended Order |
|---|---|
| System stable + malware that encrypts-in-place (non-delete) | Remove malware first → then recover encrypted files or use decryptor |
| System stable + ransomware (encrypt-then-delete mechanic) | Attempt file recovery FIRST → check NoMoreRansom → then wipe and rebuild |
| System unstable or ransomware still active | Boot from clean USB → image the drive → recover from image → then wipe live system |
| No idea if ransomware is still running | Assume it is active → do NOT run recovery software on live system → image first |
| Shadow Copies still intact | Restore from VSS snapshots first → no wipe required if system is clean |
💡 Tip: Before any action, disconnect the infected machine from your network — unplugging the Ethernet cable or disabling Wi-Fi prevents ransomware from spreading to other devices or encrypting network shares.
The single most common mistake is wiping the system immediately without checking whether the original deleted files are still recoverable. Many ransomware families use an encrypt-then-delete mechanic: they encrypt a copy of your file and then delete the original. Until the disk is wiped, those deleted originals may still exist in unallocated space — and file recovery software can retrieve them.
Part 2. Check Volume Shadow Copies Before You Do Anything Destructive
Windows creates Volume Shadow Copy snapshots automatically when updates or backups run. Many ransomware strains try to destroy these snapshots — but not all succeed, and some older or lower-sophistication strains skip this step entirely.
Before wiping or running any cleaning tool, open an elevated Command Prompt and run:
vssadmin list shadows
If the output lists any shadow copies with dates prior to your infection, you may be able to restore files directly from those snapshots using Shadow Explorer or Windows' built-in Previous Versions feature. This is the fastest possible recovery path and requires no third-party file recovery at all.
🗣️ r/sysadmin user: "Before you do anything else, run vssadmin list shadows. If the ransomware didn't kill your shadow copies, you can restore right from there. Check this BEFORE you wipe."
⚠️ Warning: Many security cleaning tools and automated ransomware removal scripts aggressively wipe unallocated disk space and may also destroy Volume Shadow Copy metadata. Running a cleaning tool before checking your shadow copies can permanently eliminate your best recovery option.
Part 3. Why Cleaning Tools Can Destroy Your Data
Antivirus and anti-malware tools are designed to remove threats — not to preserve forensic evidence or recoverable file data. When a cleaning tool runs a deep scan and remediation pass, it may:
- Overwrite deleted files in unallocated disk space (destroying recoverable originals)
- Delete files flagged as suspicious that are actually recoverable encrypted copies
- Wipe temporary files or Volume Shadow Copy data as part of a "deep clean"
The safest approach is to image the drive first using a tool like Clonezilla or Macrium Reflect Free before running any cleaning or wiping tools. Working from an image means you always have a forensic copy to return to — even if the live drive is later wiped clean.
🗣️ r/sysadmin user: "You don't 'recover' from ransomware on a live infected system. You wipe, rebuild, then restore from backups. Anything else is just asking for reinfection — but image the drive first if you don't have backups."
Part 4. The Critical Step Most Victims Miss — Preserve Encrypted Files Before Wiping
This is the most overlooked piece of ransomware recovery advice: make a copy of your encrypted files before wiping the drive. Most victims delete or overwrite everything in the rush to clean up — and then lose access permanently when a free decryptor is released later.
Decryptors are regularly published months or even years after an attack, when:
- Law enforcement seizes the ransomware group's encryption keys
- Security researchers find vulnerabilities in the encryption implementation
- The ransomware group shuts down and leaks their master keys
Recent examples include free decryptors released for Phobos/8base, FunkSec, DoNex, and Midnight/Endpoint in 2025–2026. Victims who preserved their encrypted files were able to fully recover. Victims who wiped without keeping a copy permanently lost their data.
💡 Tip: Copy your encrypted files to an external drive or USB before wiping. Store them in a clearly labeled folder with the ransomware name and infection date. Check NoMoreRansom.org every few months for new decryptors.
Part 5. How to Recover Deleted Original Files (Before Wiping)
Most ransomware operates by creating an encrypted copy of each file and then deleting the original. Until the sectors containing those deleted originals are overwritten by new data, file recovery software can often retrieve them intact.
To maximize recovery chances:
- Stop using the infected drive immediately — every write operation risks overwriting deleted files
- Boot from a clean, external environment (USB drive with a recovery OS) to avoid writing to the system drive
- Run file recovery software against the infected drive as a read-only scan
- Save recovered files to a separate, clean drive — never recover to the same drive you are scanning
The window for recovering deleted originals closes quickly. Heavy system usage, a Windows restart, or any write activity on the infected drive can permanently overwrite the sectors where deleted originals reside.
💡 Tip: If you must keep using the computer before recovery, at minimum avoid saving any new files to the infected drive. Even browsing the web generates temporary files that can overwrite deleted data.
Part 6. The Live System Risk — Why You Should Not Run Recovery Software on an Active Infection
Running file recovery software on a system where ransomware may still be active creates a dangerous loop. Ransomware with persistence mechanisms — scheduled tasks, registry run keys, or dropper components — may re-encrypt any files you recover before you can move them to safety.
Signs ransomware may still be active:
- CPU or disk usage is unusually high
- File extensions continue to change after you thought the attack stopped
- New ransom notes appear in folders
- Your antivirus detects threats but cannot quarantine them
If any of these signs are present, do not attempt live recovery. Instead, remove the drive, connect it to a clean machine as a secondary drive, and run recovery from that safe environment.
Part 7. How to Use NoMoreRansom to Find a Free Decryptor
NoMoreRansom.org is a free resource operated by Europol, Interpol, and leading cybersecurity companies. It hosts over 220 free decryption tools covering hundreds of ransomware strains.
Steps to identify your ransomware and find a decryptor:
- Go to NoMoreRansom.org Crypto Sheriff
- Upload two encrypted files and/or your ransom note
- The tool analyzes the encryption pattern and identifies the strain
- If a decryptor exists, Crypto Sheriff links you directly to the download
- Download and run the decryptor on your preserved encrypted files
If no decryptor exists today, check back regularly — new tools are added as law enforcement operations break up ransomware groups and seize key material.
| Ransomware Strain | Decryptor Status (2025–2026) |
|---|---|
| Phobos / 8base | Free decryptor available |
| FunkSec | Free decryptor available |
| DoNex | Free decryptor available |
| Midnight / Endpoint | Free decryptor available |
| HomuWitch | Free decryptor available |
| LockBit 3.0 | Partial keys released |
| Most active strains | Check NoMoreRansom monthly |
Part 8. Ransomware Response Decision Matrix
Use this checklist to determine the correct action sequence for your specific situation.
| Step | Condition | Action |
|---|---|---|
| 1 | Always | Disconnect from network immediately |
| 2 | Always | Do NOT pay the ransom yet — check NoMoreRansom first |
| 3 | Windows system | Run vssadmin list shadows — check for surviving snapshots |
| 4 | Shadow copies found | Use Shadow Explorer to restore files from snapshots |
| 5 | No shadow copies | Check if ransomware is still active before proceeding |
| 6 | Ransomware still active | Boot from clean USB — do not run recovery on live system |
| 7 | System stable | Boot from clean USB and run Ritridata to scan for deleted originals |
| 8 | Files recovered | Save to clean external drive |
| 9 | Before wiping | Copy all encrypted files to external storage |
| 10 | Before wiping | Image the infected drive (Clonezilla or Macrium Reflect Free) |
| 11 | After imaging | Wipe and rebuild the system |
| 12 | After rebuild | Check NoMoreRansom with your encrypted file copies |
💡 Tip: Keep your encrypted file copies and forensic image for at least 2 years. New decryptors continue to emerge as cybercrime task forces dismantle ransomware operations.
Part 9. How Ritridata Can Help You Recover Deleted Originals
If your system has been hit by ransomware that used the encrypt-then-delete mechanic, Ritridata can scan the infected drive for deleted original files and recover them before you wipe the system.
The recommended approach is to use Ritridata from a bootable USB environment rather than installing it on the infected system. This prevents any new writes to the infected drive, which could overwrite the deleted originals you are trying to recover — and avoids running software on a potentially still-active infected system.
Recover Deleted Files with Ritridata
Step 1 — Create a Ritridata bootable USB on a clean, uninfected computer
[IMAGE: Ritridata — create bootable USB recovery drive on a clean PC]
Step 2 — Boot the infected computer from the Ritridata USB and scan the infected drive as read-only
[IMAGE: Ritridata — boot from USB, select infected drive for scan]
Step 3 — Preview and recover deleted original files to a separate, clean external drive
[IMAGE: Ritridata — preview recovered files, save to external drive]
Using a bootable recovery environment means Ritridata never writes to the infected drive during scanning, preserving the maximum amount of recoverable data. Recovered files are saved directly to your clean external drive — ready to use once you have confirmed the ransomware is fully eradicated.
Frequently Asked Questions
Should I wipe my computer immediately after a ransomware attack? Not immediately. Before wiping, check for Volume Shadow Copies with vssadmin list shadows, attempt to recover deleted original files using recovery software from a clean boot environment, and copy all encrypted files to an external drive for future decryptors. Then wipe.
Can I recover files from a ransomware-encrypted drive without paying the ransom? In many cases, yes. First check NoMoreRansom.org for a free decryptor matching your strain. Second, if the ransomware used an encrypt-then-delete mechanic, file recovery software may retrieve the deleted originals from unallocated disk space before the drive is wiped.
Does formatting a drive fully remove ransomware? A standard format often does not fully remove all ransomware artifacts — rootkits and bootloader-level persistence can survive a format. A full disk wipe (overwriting all sectors) is more thorough. Reinstalling the OS from clean media after wiping is the recommended approach.
Is it safe to run file recovery software on an actively infected system? Generally no. If ransomware is still active, any files you recover may be re-encrypted immediately. Boot from a clean USB drive and run recovery software from that environment, treating the infected drive as a read-only secondary device.
What is the vssadmin list shadows command and when should I run it? vssadmin list shadows is a Windows Command Prompt command that lists all existing Volume Shadow Copy snapshots. Run it in an elevated (Administrator) command prompt before any cleaning or wiping — surviving snapshots may let you restore files instantly without any third-party recovery tool.
What is NoMoreRansom.org and is it trustworthy? NoMoreRansom.org is operated by Europol, Interpol, Kaspersky, and other major cybersecurity organizations. It is free, legitimate, and regularly updated with new decryptors. Always download decryptors from this official site rather than third-party sources.
Why should I keep encrypted files even after recovering originals? Your recovered originals may be incomplete, or some files may not have been recoverable. Keeping the encrypted versions means you can decrypt them later if a decryptor for your specific ransomware strain is released — even years after the attack.
Will ransomware come back after wiping? If you wipe and reinstall the OS from clean media, and patch the vulnerability or credential gap the attacker used to gain access, ransomware should not recur. However, if the attack vector (e.g., RDP exposure, phishing link) is not addressed, reinfection is possible regardless of how thoroughly you wiped.