If your system survived a malware attack, recovering your files is often still possible — the key is acting in the right order and choosing the right method for the type of damage done. Most guides focus on removing the malware; this one starts where that process ends and walks you through what to do next.
Part 1. What Malware Actually Does to Your Files
Not all malware causes the same type of file loss. Understanding the specific damage helps you pick the fastest recovery path.
There are four main scenarios:
| Damage Type | How It Happens | Recovery Difficulty |
|---|---|---|
| Hidden files | Virus sets system "hidden" attribute on files/folders | Easy — files still exist |
| Deleted files | Malware deletes files to deny access or cover tracks | Moderate — depends on disk activity since deletion |
| Encrypted files | Ransomware encrypts files and demands payment | Hard — requires decryption key or shadow copies |
| Corrupted files | Worm or overwrite-style virus damages file structure | Varies — partial recovery often possible |
💡 Tip: Before you run any recovery tool, identify which category applies to your situation. A file that looks "gone" may actually be hidden — a two-second fix — rather than deleted or encrypted.
Hidden files are the easiest to recover and the most often mistaken for permanent loss. Many trojans and worms set the hidden attribute on entire folders to make users believe files have been wiped. The data is still fully intact on disk.
Deleted files are removed from the directory but the underlying data often remains on disk until overwritten. The sooner you act — and the less you write to the drive — the higher the chance of recovery.
Encrypted files (ransomware) are the hardest case. The file structure is intact but the content is scrambled. Without the decryption key, software-based recovery alone will not restore readable content — though shadow copies and version history can sometimes bypass this entirely.
Corrupted files occur when a virus overwrites portions of a file. Recovery software can sometimes reconstruct the intact portions, but results vary by file type and damage extent.
Part 2. Clean First or Recover First? The Decision Table
This is the question most articles skip entirely — and getting it wrong can make recovery harder or even impossible.
| Scenario | Recommended Order | Why |
|---|---|---|
| Stable system, non-encrypting malware (trojan, worm, spyware, adware) | Remove malware first, then recover | Malware is no longer actively damaging files; cleaning first gives recovery software a safe environment |
| Ransomware — system still running, files encrypted | Boot from clean USB, recover first, then wipe | Running ransomware may still be active; recovery software on the infected OS risks re-encryption or shadow-copy deletion |
| System unstable / repeated BSOD | Boot from clean USB, recover first, then wipe | Unstable OS can corrupt more data; recover to an external drive before attempting any cleanup |
| Attack is recent and ongoing (ransomware encrypting live) | Disconnect from network and power off immediately | Every second of runtime encrypts more files; hard shutdown limits damage |
⚠️ Important: If you suspect active ransomware is still running, do NOT shut down normally. Pull the power cable or hold the power button. A normal shutdown can trigger final encryption or shadow-copy deletion routines built into some ransomware variants.
The core principle: if the malware is no longer active and your system is stable, clean it first. Recovery software works better on a clean system. If there is any doubt about stability or active encryption, boot from a USB drive and recover to an external location before touching the infected OS.
🗣️ r/sysadmin user: "You don't 'recover' from ransomware. You restore from backups or have some kind of failover in your environment (DR)."
Part 3. Step 1 — Check If Your Files Are Hidden, Not Gone
Before reaching for recovery software, spend two minutes ruling out the simplest cause: files hidden by malware.
Many viruses and trojans use the Windows "hidden" file attribute to make your data disappear from view while leaving it completely intact on disk. To check:
On Windows 10/11:
- Open File Explorer
- Click the View tab (Windows 10) or View → Show (Windows 11)
- Check Hidden items
- If your files reappear, right-click the folder → Properties → uncheck Hidden → apply to all subfolders
Via Command Prompt (more thorough):
attrib -h -s -r /s /d "D:\YourFolder\*"
This command removes the hidden, system, and read-only attributes from all files and subfolders recursively. Replace D:\YourFolder with your actual drive and path.
💡 Tip: The USB shortcut virus is one of the most common malware types that hides files. If your USB drive appears empty after a malware infection but the storage usage still shows data used, run the
attribcommand above — your files are almost certainly still there.
If files do not reappear after unhiding, they have been deleted, encrypted, or corrupted and require the steps below.
Part 4. Step 2 — Check Antivirus Quarantine Before Running Recovery Software
This step is easy to overlook and can save you significant time: your antivirus may have quarantined legitimate files that it flagged during the cleanup scan.
Quarantine does not delete files — it isolates them in a protected location where they cannot run. If a clean file was caught in a false positive during the malware removal sweep, it will be sitting in quarantine intact and fully recoverable with a single click.
To check quarantine in Windows Defender / Microsoft Defender Antivirus:
- Open Windows Security
- Go to Virus & threat protection
- Click Protection history
- Look for items with action "Quarantined"
- Select any legitimate file → click Restore
(Microsoft documentation covers this process for both home and enterprise environments.)
For third-party antivirus tools (Malwarebytes, Bitdefender, etc.), the quarantine section is typically found under "Detection History," "Threats," or "Quarantine" in the main dashboard.
💡 Tip: Check quarantine immediately after a malware removal — before running any file recovery software. If the file is in quarantine, restoring it takes seconds. If you run recovery software first, you may recover an older version when the current one was already saved.
Part 5. Step 3 — Try Shadow Copies and Previous Versions
Windows creates automatic snapshots of files through the Volume Shadow Copy Service (VSS), often called Previous Versions. If System Protection was enabled before the attack, you may be able to restore files from these snapshots without any third-party software.
To access Previous Versions on Windows 10/11:
- Right-click the folder containing your lost files
- Select Properties
- Click the Previous Versions tab
- Select a snapshot from before the attack
- Click Copy (not Restore) to save the previous version to a different location
⚠️ Important caveat: Most modern ransomware deliberately deletes shadow copies before encrypting files — it is one of the first things many ransomware variants do. If you are recovering from ransomware and Previous Versions shows no entries, the shadow copies were likely wiped. For non-ransomware malware (trojans, worms, spyware), shadow copies are typically still intact.
If Previous Versions shows no snapshots, try ShadowExplorer — a free tool that can sometimes find shadow copies that the standard Windows interface does not display.
🗣️ r/cybersecurity user: "Mount the drive on Linux or another OS to potentially recover files. Success depends heavily on the specific ransomware variant used."
Part 6. Step 4 — Check for a Free Decryption Tool (Ransomware Only)
If you are dealing with ransomware-encrypted files and shadow copies are gone, check NoMoreRansom.org before paying any ransom or purchasing specialized decryption services.
The No More Ransom project — a collaboration between Europol, the Dutch National Police, and cybersecurity vendors — offers free decryption keys and tools for hundreds of known ransomware families. Upload a sample encrypted file to their Crypto Sheriff tool and it will identify the ransomware variant and point you to a decryptor if one exists.
💡 Tip: Even if no decryptor exists today, do not delete the encrypted files. Law enforcement regularly releases new decryption keys after ransomware operators are arrested or their infrastructure is seized. Keeping encrypted copies costs nothing and may pay off months later.
Part 7. Recovery Method by Scenario
Use this reference table to match your specific situation to the right recovery approach.
| File Status | Likely Cause | Primary Method | Fallback |
|---|---|---|---|
| Files hidden, folders look empty | Trojan / USB virus | attrib command or File Explorer hidden view | — |
| Files missing after antivirus scan | AV quarantine (false positive) | Restore from quarantine | File recovery software |
| Files deleted, no shadow copies | Malware deletion / worm | File recovery software (Ritridata) | Professional recovery service |
| Files encrypted by ransomware | Ransomware | NoMoreRansom decryptor | Shadow copies → recovery software for unencrypted copies |
| Files partially corrupted | Overwrite virus | File recovery software (partial recovery) | Professional data recovery lab |
| Files missing after full OS wipe | Ransomware recovery wipe | Recovery software on old drive (before wipe) | Professional lab |
Part 8. Malware Type vs. Recovery Approach
| Malware Type | Typical File Damage | Best Recovery Approach |
|---|---|---|
| Ransomware | Encrypts files in place | Shadow copies → NoMoreRansom decryptor → recovery software |
| Trojan | Hides files, may delete key files | Unhide with attrib → recovery software for deleted items |
| Worm | Deletes or overwrites files, spreads via USB | Recovery software after worm removal |
| Virus | Corrupts or deletes files | Recovery software — partial recovery common |
| Spyware | Rarely damages files directly | Check quarantine for any false positives |
Part 9. Recover Lost Files with Ritridata
When hidden-file checks, quarantine restores, and shadow copies are not enough, file recovery software can scan your drive at the sector level and retrieve files that were deleted during or after a malware attack.
Ritridata supports recovery from HDDs, SSDs, USB drives, and SD cards on both Windows and Mac. It can recover files deleted by malware, files lost when malware reformatted a drive, and files from drives left in a RAW or unreadable state after an infection.
Step 1 — Select the infected drive or location
Choose the drive or folder where your files were stored before the attack. For best results, recover to a separate drive — not the one being scanned.
Step 2 — Run a safe scan
Ritridata scans the drive without writing to it, so it does not overwrite any recoverable data during the process.
Step 3 — Preview and recover to another drive
Preview found files before recovering. Select the files you need and save them to a different drive — never recover to the same drive you are scanning.
💡 Tip: If your system is still unstable after a malware attack, use Ritridata's bootable USB feature to boot from a clean environment and recover files from a crashed or compromised Windows installation.
Part 10. FAQ
Can files really be recovered after a malware attack? In many cases, yes. Files that were hidden by malware are often fully intact. Files that were deleted may still be recoverable with recovery software if the drive has not been heavily written to since the attack. Encrypted files are harder — recovery depends on whether a decryption key or shadow copy is available.
Should I remove the malware before or after recovering files? It depends on the situation. For stable systems with non-encrypting malware (trojans, worms, spyware), remove the malware first and then recover. If you suspect active ransomware or your system is unstable, boot from a clean USB drive, recover to an external drive, and wipe afterward.
How do I know if my files are hidden versus deleted? Enable hidden file visibility in File Explorer (View → Show → Hidden items on Windows 11) or run the command attrib -h -s -r /s /d on the affected folder. If files reappear, they were hidden. If not, they may have been deleted or encrypted.
Does ransomware always delete shadow copies? Many modern ransomware variants do delete shadow copies early in their execution. However, if the attack was caught quickly or the ransomware variant did not include this behavior, Previous Versions may still work. Always check before assuming shadow copies are gone.
Can I restore files my antivirus deleted? Your antivirus likely quarantined rather than deleted those files. Check the Protection History in Windows Security (or the equivalent in your antivirus software) and restore any legitimate files from quarantine.
What is NoMoreRansom.org and should I use it? NoMoreRansom.org is a free resource run by Europol and cybersecurity vendors that provides decryption tools for known ransomware families. Upload a sample encrypted file to their Crypto Sheriff tool. If a free decryptor exists for your ransomware variant, it will be listed there.
Is it safe to run file recovery software on an infected drive? Only if the malware has been removed first. Running recovery software on an actively infected system risks further damage. If you cannot remove the malware, boot from a clean USB environment before running any recovery tools.
What if my files are encrypted and no decryptor exists? Keep the encrypted files — do not delete them. New decryption keys are released periodically as ransomware operations are shut down by law enforcement. In the meantime, restore from any available backup and report the incident to IC3.gov (US) or your local cybercrime authority.
Can recovery software recover files from a reformatted drive? In some cases, yes. If the drive was quick-formatted (not zero-wiped), recovery software may be able to retrieve files from the sectors that were not overwritten. A deep scan is required.
How do I prevent this from happening again? Keep automatic backups to an external drive that is disconnected when not in use (offline backup). Ransomware and other malware cannot encrypt a drive it cannot reach. Enable System Protection (shadow copies) on Windows and keep your antivirus definitions current.
Part 11. References
- Restore quarantined files in Microsoft Defender Antivirus — Microsoft Learn
- Volume Shadow Copy Service deleted after ransomware attack — Microsoft Q&A
- No More Ransom — Free Ransomware Decryption Tools
- How to recover files using Shadow Volume Copies — BleepingComputer
- Ransomware Recovery Process — r/sysadmin