top of page

How to Recover Encrypted Business Files After a Ransomware Attack

  • Writer: Neil Hare-Brown
    Neil Hare-Brown
  • Apr 23
  • 3 min read

If your business files are encrypted and you can’t open them, you may be dealing with a ransomware attack.


Whether you’ve already received a ransom note or just discovered that documents across your network are suddenly inaccessible, this guide is here to help.

It outlines the key steps you can take now to understand what’s happened, prevent further damage, and explore recovery options - including whether file restoration is possible without paying a ransom.





Step 1: Confirm It’s Ransomware


Before attempting recovery, confirm the nature of the attack:

  • Are files renamed or carrying a new extension (e.g. .locked, .encrypted, .[groupname])?

  • Is there a ransom note on the desktop or in file directories?

  • Do the notes reference a dark web portal, email address, or payment demand?


If these signs are present, avoid trying to open or alter the encrypted files - focus on containment first. If you are not sure then contact the STORM team for a free, no-obligation discussion about your concerns.



Step 2: Isolate Infected Systems


Prevent the ransomware from spreading further:

  • Disconnect affected machines from your network (wired and wireless)

  • Disable shared drives and remote access (e.g. VPN, RDP)

  • Do not power off devices unless advised - forensic teams may need memory data

The quicker you contain it, the more data you can potentially protect.



Step 3: Preserve the Evidence


Before attempting any recovery:

  • Save copies of encrypted files and the ransom note

  • Take screenshots of any communication portals or messages

  • Export relevant logs and system information for investigation


This information will be vital if you work with a ransomware response provider or law enforcement.




Step 4: Identify the Ransomware Variant


Knowing which ransomware you’re dealing with helps determine:

  • Whether a free decryptor exists

  • If known decryption keys are available

  • What the risks are for data exfiltration


Tools like ID Ransomware can help identify the strain, or you can engage a specialist like STORM Guidance to confirm.




Step 5: Review Your Recovery Options


Option A: Restore from Backups

If you have clean, offline backups available:

  • Rebuild affected systems in a secure environment

  • Restore data only once the threat is fully contained

  • Monitor restored systems for signs of reinfection


Option B: Use a Free Decryptor

Some ransomware variants have been publicly cracked.

  • Use only trusted sources like nomoreransom.org

  • Verify the ransomware strain with a professional before attempting decryption


Option C: Engage a Ransomware Negotiator

If backups and decryptors aren’t viable, and the data is critical to business operations, STORM Guidance can safely engage with the attackers on your behalf.

Our ransomware negotiation experts will:

  • Assess the credibility of the threat actor

  • Manage all communications securely and anonymously

  • Attempt to reduce the ransom amount

  • Validate and test any decryptors provided

  • Guide you through legal, financial, and reputational risks


This process is confidential, structured, and focused on getting your business safely back online.

STORM Guidance provides full ransomware engagement support - from initial contact to outcome management - always prioritising your organisation’s legal, operational, and reputational risk.



Step 6: Rebuild and Strengthen Defences


Once recovery is underway:

  • Reimage infected systems and restore only what’s clean

  • Reset all admin credentials and enforce MFA

  • Patch vulnerabilities and review firewall rules

  • Conduct a full post-incident review to close any gaps





How STORM Guidance Can Help


✔ Assess ransomware type and recovery options

✔ Identify safe restoration paths from backups

✔ Support with legal, technical, and regulatory issues

✔ Handle negotiation and payment (if necessary)

✔ Help rebuild defences and reduce future risk





Encrypted Files Are Not Always Lost - But Recovery Needs Caution


A ransomware attack can feel paralysing, but with the right guidance, many businesses recover fully - even in situations where files are encrypted and backups are unavailable.

STORM Guidance is here to guide your business through encrypted file recovery - whether through clean backups, safe decryption, or direct threat actor engagement.

With expert-led support, you can regain control and move forward with resilience and confidence.



Recent Posts

See All

We respond to any cyber or fraud incident, globally

At STORM Guidance, we provide industry-leading expertise in ransomware response, cyber defence, and security resilience.

Whether you need urgent assistance or want to bolster your defences, our experts are here to help.

Contact the CyberCare team

If you would prefer to speak to the team, give us a call:

UK/Europe: +44-203-693-7480

Africa: +230-434-1277

USA: +1-703-232-9015

Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.

bottom of page