How to Check if Ransomware Encrypted Files: Signs, Verification Steps, and Safe Next Actions

Written by: Abigail Ivy
Published on:

How to Check if Ransomware Encrypted Files

Ransomware does not always make its presence obvious at first glance.

This guide shows how to check if ransomware encrypted files by looking for visible clues, confirming technical signs, and avoiding actions that can make recovery harder.

Knowing whether files were encrypted matters because ransomware incidents can also involve data theft, partial damage, or backup tampering.

The right checks help you identify the attack quickly and respond with less risk.

What ransomware encryption usually looks like

Ransomware encryption changes files so normal applications can no longer read them.

Instead of opening in Word, Excel, Adobe Acrobat, or photo viewers, affected files may appear broken, renamed, or inaccessible.

Common signs include:

  • Files that suddenly will not open or return errors such as “file format not recognized”
  • Unusual file extensions added to names, such as .locked, .encrypted, or random strings
  • Ransom notes placed in folders or on the desktop
  • Decreased file size consistency, where many documents appear similar in length after attack
  • Icons changing to generic unknown-file symbols

These signs are strong indicators, but they are not enough by themselves.

Some failures come from corruption, storage issues, or accidental deletion rather than ransomware.

First checks you can perform safely

Before touching the affected system heavily, verify what changed.

Use a separate trusted device if possible, especially if the machine may still be active on the network.

Look for file name changes

Sort a folder by file extension and compare affected files to known-good copies.

Ransomware often adds a new extension to many files at once.

If the original names are preserved but extensions have changed, encryption is more likely than deletion.

Open a few sample files with trusted applications

Try opening several file types from different folders.

If only one application fails, the issue may be software-specific.

If many unrelated file types fail across the system, encryption becomes more likely.

Check for ransom notes

Ransomware operators usually leave instructions in text files, HTML files, images, or wallpaper changes.

Search for filenames like README, DECRYPT, or HOW_TO_RECOVER.

A ransom note does not prove every file is encrypted, but it is a major indicator of a ransomware incident.

How to tell encryption from corruption or deletion

Not every unreadable file is encrypted.

Comparing symptoms helps you avoid false assumptions and choose the right recovery path.

  • Deletion: files are missing, but filenames and metadata are not altered by a new extension or ransom note.
  • Corruption: files exist but may be truncated or damaged due to disk failure, power loss, or sync errors.
  • Encryption by ransomware: many files are changed at once, extensions may be altered, and a ransom note is present.

A useful clue is scale.

Ransomware often affects many folders in a short period, while corruption is frequently limited to a disk, application, or event window.

Use file metadata and patterns to confirm the attack

If you can safely inspect metadata, look for mass changes in timestamps, extensions, and file size behavior.

Ransomware often processes files in bulk, so many documents may show nearly identical modification times.

Possible indicators include:

  • Large numbers of files modified within minutes
  • New extensions applied to documents, images, archives, and databases alike
  • Original file names still visible, but contents no longer readable
  • Encrypted files that are unusually small, unusually large, or both depending on the ransomware family

Security teams also compare file hashes from unaffected backups or shared repositories.

If the current file hash does not match a known-good version and the file cannot be opened, encryption is likely.

Check whether the ransom family is known

Different ransomware families leave different file markers.

Some append a specific extension, while others use a victim ID in the ransom note.

Identifying the strain can help you find recovery guidance, known decryption tools, and incident reports from vendors such as Microsoft, Kaspersky, ESET, Sophos, or Avast.

When searching, collect:

  • Exact ransom note filename and text
  • New file extension or naming pattern
  • Any contact email, Tor address, or victim ID
  • Sample affected file names without opening suspicious attachments or links

Online ransomware identification databases and security blogs can help map these clues to a specific family.

Be careful to use reputable sources and do not upload sensitive files to unknown services.

Check backups before assuming data loss

Encrypted files on the endpoint do not always mean all copies are lost.

Review offline backups, cloud snapshots, version history, and protected network shares.

If you can confirm that backup files predate the attack, you may be able to restore clean data after containment.

Useful backup checks include:

  • Snapshot timestamps versus the suspected attack window
  • File version history in cloud platforms such as Microsoft 365, Google Workspace, or OneDrive
  • Whether backup repositories were isolated from the infected host
  • Whether backup logs show unusual deletions or encryption attempts

If backup systems were reachable from the infected machine, verify that ransomware did not also target them.

Many modern attacks attempt to delete shadow copies, disable restore features, or corrupt network backups.

What not to do while verifying ransomware encryption

Verification should not worsen the incident.

A few common actions can destroy evidence or spread the attack.

  • Do not rename suspicious files in bulk before documenting them
  • Do not pay a ransom just to “test” whether decryption works
  • Do not connect the machine to shared drives until it is isolated
  • Do not run random decryptors from untrusted websites
  • Do not reinstall the operating system before preserving forensic evidence if your organization needs incident analysis

If the device is still online, disconnect it from Wi-Fi, Ethernet, and shared storage as soon as possible.

Then notify your security team, managed service provider, or incident response contact.

Practical response checklist after confirmation

Once you are confident files were encrypted, the next step is containment and recovery planning.

A structured response reduces the chance of reinfection and helps preserve evidence for legal, insurance, or forensic use.

  1. Isolate the affected device or segment from the network.
  2. Document file extensions, ransom notes, and the first time symptoms appeared.
  3. Preserve copies of affected files and ransom notes for analysis.
  4. Check backups, snapshots, and cloud version history for clean restores.
  5. Scan other systems for the same indicators of compromise.
  6. Reset credentials that may have been exposed, especially administrator and remote access accounts.

Organizations should also review logs from endpoint detection and response tools, Microsoft Defender for Endpoint, SIEM platforms, firewalls, and remote access gateways to identify the initial entry point.

When to involve a cybersecurity professional

Professional help is advisable when encryption affects multiple systems, servers, virtual machines, or business-critical data.

It is also important when there are signs of data exfiltration, because many ransomware operations now use double extortion.

Bring in incident response support if you need help with:

  • Identifying the ransomware family
  • Determining whether decryption is possible
  • Restoring backups safely
  • Preserving evidence for law enforcement or insurance
  • Validating whether attackers accessed sensitive data

Fast, accurate identification is more valuable than guessing.

If you are unsure how to check if ransomware encrypted files on a live system, prioritize isolation, documentation, and expert review over trial-and-error fixes.