My files were encrypted by ransomware — what do I do now?

If files are currently being encrypted or have just been encrypted, the immediate priority is stopping the spread — not installing software or researching options. Disconnect the machine from the network now: unplug the ethernet cable or disable WiFi. If other devices share the same network or mapped drives, they may be at risk. Isolation stops the encryption from reaching shared storage or other devices on the network.

Quick answer

Machine is actively encrypting or just stopped — right now→Disconnect from network immediately, then run Malwarebytes to identify and remove the ransomware before doing anything else

Ransomware removed, assessing recovery options→Check backups first — external drive, cloud sync, or Windows Shadow Copies (if the ransomware didn't delete them); check nomoreransom.org for a free decryptor

Machine is clean, want protection against reinfection going forward→Bitdefender — Ransomware Remediation rolls back encrypted files automatically if a future attack begins; Behavioral Shield catches encryption behavior early

When it matters

Order matters more than speed in the first minutes after a ransomware attack:

Disconnect from network — ethernet and WiFi both; ransomware spreads laterally to mapped drives and network shares while it's running
Do not restart the machine — some ransomware variants encrypt on reboot; some forensic tools require the original running state
Photograph the ransom note — record the contact address and any identifiers; this information is useful for identifying the ransomware family and checking for existing decryptors
Check nomoreransom.org — law enforcement and security researchers publish free decryptors for many ransomware families; this is the first place to check before assuming files are permanently lost
Check backups — external drives that were disconnected before the attack, cloud sync versions (many services keep version history), and Windows Shadow Copies if the ransomware didn't delete them

Paying the ransom does not guarantee file recovery. In documented cases, decryption keys provided after payment either don't work or only partially restore files. It also funds future attacks and may flag the paying party as a target for follow-up extortion.

When it fails

Files encrypted with a correctly implemented modern cipher (AES-256 or RSA-2048) without the decryption key are generally considered unrecoverable without the key — this is a computational constraint, not a software limitation
Shadow Copies are frequently deleted by ransomware during execution — don't assume they exist until you've confirmed
Cloud-synced files may already be overwritten with encrypted versions if cloud sync was running during the attack — check version history in the cloud service before assuming sync is safe recovery option
Ransomware removal does not restore files — removing the malware stops further encryption but does not decrypt what's already been encrypted

The only reliable protection against ransomware data loss is offline backups that were not connected during the attack. A backup that was connected to the same network at the time of infection may itself be encrypted.

How providers fit

Malwarebytes fits for the immediate cleanup phase. Run the free on-demand scan after isolating the machine from the network — it identifies and removes the ransomware executable and associated components. This stops further encryption and clears the machine for recovery assessment.

ESET fits as a second-opinion scan after Malwarebytes completes. Advanced Memory Scanner checks for fileless ransomware components that may have executed in memory without leaving a file on disk. ESET Online Scanner runs without installation — relevant if the system state is uncertain.

Bitdefender fits as the protection layer for a clean machine going forward. Ransomware Remediation monitors for encryption behavior and automatically rolls back affected files if an attack begins — this is forward protection, not recovery of already-encrypted files. Behavioral Shield detects ransomware activity before the encryption completes on a significant portion of files.

Bottom line

Malwarebytes first to remove the ransomware. Check nomoreransom.org and backup options in parallel. ESET as a secondary scan if anything is still uncertain. Once the machine is confirmed clean, Bitdefender's Ransomware Remediation is the most direct protection against a repeat incident — it's designed to catch what gets past the initial scan layer.

My device is showing infection symptoms→Strong real-time protection after cleanup→Quick decision: my device is infected right now→