What are your realistic ransomware recovery options in India?
Short answer: Ransomware encrypts files in place — the hardware is fine, but the file content is scrambled. Recovery options in order of priority: (1) public decryptor from nomoreransom.org; (2) Windows Shadow Copy (Volume Shadow Service) snapshots that the ransomware missed; (3) cloud backup version history (OneDrive, Dropbox, Google Drive) that predates the encryption; (4) offline backup (external drive, NAS) that was disconnected during the attack. Hardware cleanroom recovery cannot recover ransomware-encrypted data — it is a software/cryptographic problem.
Ransomware recovery — step by step in order of priority
Step 1: Check nomoreransom.org for a free decryptor
The No More Ransom Project (nomoreransom.org) — a joint initiative of Europol, the Dutch National Police, and cybersecurity companies including Kaspersky and McAfee — has published free decryptors for over 150 ransomware families. Upload an encrypted file and a ransom note to their Crypto Sheriff tool. If a decryptor exists, download and run it on the encrypted drive — free, no ransom payment needed. Many Indian SMEs hit by older ransomware families (STOP/Djvu, GandCrab, REvil/Sodinokibi before its shutdown) can recover using these free tools. New ransomware families typically lack public decryptors — check regularly as new ones are added. See also our earlier ransomware data recovery guide for context on India-specific attack patterns.
Step 2: Check Windows Shadow Copies immediately
Windows Volume Shadow Service (VSS) creates automatic snapshots of files at points in time — called Shadow Copies — used by System Restore and Previous Versions. Many older ransomware families (2015–2020 era) did not delete Shadow Copies, or deleted them only partially. Open Command Prompt as administrator, run: vssadmin list shadows. If any shadow copies exist, use ShadowExplorer (free tool) to browse and restore individual files from the snapshot. Newer ransomware (LockBit, BlackCat/ALPHV, Clop) aggressively deletes all Shadow Copies within seconds of infection — but it is always worth checking, especially for older infections.
Step 3: Restore from cloud version history
If encrypted files were synced to OneDrive, Google Drive, or Dropbox, cloud version history can restore pre-encryption versions. For OneDrive: Files → Restore Your OneDrive (rolls back to any point in the last 30 days for personal, 93 days for business). For Dropbox: right-click file → Version History (up to 180 days on paid plans). For Google Drive: right-click → Manage Versions. The key question is whether the cloud sync had already uploaded the encrypted versions before you disconnected — if so, the cloud also contains encrypted files. Disconnect the laptop from the internet Disconnect the laptop from the internet immediately after ransomware is detected to prevent encrypted files from syncing to cloud storage. to prevent encrypted files from syncing to cloud storage.
Step 4: The India angle — offline backup and power UPS as ransomware defence
India’s lower ransomware recovery success rate compared to Western Europe and North America comes from two gaps: irregular offline backup discipline and lower Microsoft 365 subscription penetration (meaning less OneDrive version history coverage). A weekly offline backup to an external hard drive that is physically disconnected after backup is the single most effective ransomware defence available to Indian SMEs. A UPS protects that backup drive from the power-cut damage that often compounds ransomware incidents. Budget: an external 2 TB drive (₹4,000–₹6,000) + a basic UPS (₹2,000–₹4,000) provides recovery-grade protection.
