When an organization refuses to pay the ransom for a decryption key after a ransomware attack, and all traces of the infection have been removed, the next critical step is:

Restore critical data from backup: This is the most effective way to recover from a ransomware attack without paying the ransom. Assuming the organization has good backup practices, the backups should be free from infection and can be restored to get the systems operational again.

Scan all of the infected files with up-to-date, anti-malware cleaning software: This step is important during the infection removal process but does not address restoring the encrypted files.

Fully patch the server operating systems hosting the fileshares: While this is necessary to prevent future attacks, it does not recover the encrypted files.

Change the files to be read-only: This will not help recover the encrypted data.