so SQL server has a lock on the mdf/ndf/ldf files because they are in use, so are you really, really sure the mdf was encrypted?
is the database currently up and online, o was the sqlservice stopped so the ransomware could access the files? are you able to take a log backup right now?if you can take a log backup now, you could have a 'tail' backup, that contains all the transactions up to the moment the log backup completes, with no data loss.
what is the recovery model of the database? do you have a chain of backups?
this would be a typical disaster recovery scenario:
restore the the full backup with NO RECOVERY, probably as a new database name so they are side by side.
restore multiple transaction logs, with NO RECOVERY, and the last log would be restore with STOPAT where the time is where you want to get the data up to (ie 2020-09-08 13:17:00)
there are some prerequisites to that restore though!
you can only use the log if the database is in FULL or BULK LOGGED Recovery and you have some full+log backups.
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!