This article isn't about cybersecurity – there are specialized firms and resources for that. We focus on what comes after the attack: what are the real data recovery options, what we encounter in practice, and how the right steps in the first hours can significantly improve your chances of recovery. We draw on cases that have passed through our lab over the past several years.

Article guide:

What is ransomware and why is it more dangerous today

Ransomware is malicious software that encrypts data on a computer, server, or across an entire corporate network and demands a ransom – usually in cryptocurrency – to restore access. It's not a single virus but an entire category of malicious code encompassing hundreds of different families and thousands of variants.

Compared to the situation a few years ago, practically everything has changed. Today's ransomware is more sophisticated, faster, and more destructive.

Encryption that cannot be broken

Modern ransomware variants (LockBit, BlackCat/ALPHV, Akira, RansomHub, and dozens more) use strong encryption algorithms – symmetric ciphers such as AES-256 or ChaCha20 combined with asymmetric cryptography (RSA, Curve25519). The specific implementation differs by group and version, but the result is the same: if encryption completes fully and the attackers don't reveal the key, the data cannot be decrypted without it – not even with unlimited computing resources. This is a fundamental difference from older variants, where encryption was often poorly implemented and could be broken.

Double extortion

While attackers used to "just" encrypt data and wait for payment, today they first copy (exfiltrate) sensitive data to their servers and only then encrypt it. The victim faces double pressure: even if they restore data from backup, the attackers threaten to publish stolen documents, databases, or personal information. This model is now standard among most professional groups.

Ransomware as a Service (RaaS)

Ransomware-as-a-Service means the attacker doesn't need to be a programmer or security expert. They can simply rent a ready-made ransomware kit that includes encryption tools, a victim management system, and instructions. The platform operator then receives a share of the ransom. The result is a dramatic increase in the number of attacks – targeting businesses of all sizes, hospitals, schools, manufacturers, and individuals.

Time works against the victim

The median time from an attacker's initial network intrusion to ransomware deployment has dropped dramatically in recent years. According to security firm data, in 2025 it was around 3 days – and for sophisticated groups it can be a matter of hours. In fully automated attacks, encryption can be launched within minutes of the initial breach. This means the window for detection and response is very narrow.

When is there a chance to recover data – and when is it too late

This is the key question clients come to us with. The answer isn't black and white – it depends on the specific ransomware variant, how far the attack progressed, and the steps the user or IT department took after discovering the attack.

Situations where recovery is realistic

Encryption didn't complete fully. If the attack was detected in time and the system was shut down or disconnected from the network, the ransomware may have encrypted only some files or only certain drives. Unencrypted data can usually be recovered without issues. Even partially encrypted files may have recoverable fragments – depending on the file type and encryption method.

Older or weaker ransomware variant. There are hundreds of variants for which security firms or law enforcement have obtained decryption keys or discovered weaknesses in the encryption implementation. The No More Ransom project – a joint initiative of Europol, Kaspersky, and others – offers over 170 free decryption tools covering more than 150 ransomware families. Emsisoft, Avast, and Trend Micro provide dozens more. If such a tool works for your data, it's the easiest path to recovery.

Shadow copies remained intact. Modern ransomware typically attempts to delete Windows shadow copies (Volume Shadow Copies / VSS), as data could be recovered from them. However, this doesn't always succeed – for example, if the ransomware lacked sufficient privileges or if the attack was interrupted before it could delete VSS. In such cases, data can be recovered directly from these snapshots.

Only part of RAID or NAS was affected. In disk arrays (RAID) and network-attached storage (NAS), not all drives may be affected equally. If encryption was performed at the file system level and some drives remained untouched, data that appeared lost can be recovered through RAID array reconstruction and raw data analysis on the drives.

Some variants only partially encrypt. Many ransomware variants don't encrypt entire files for speed reasons. Some encrypt only the beginning of a file (the first few kilobytes), others encrypt every nth data block – for example, 16 bytes every 512 bytes, or 1 MB while skipping the next 2 MB. The specific implementation varies by group and version. For large files – videos, databases, virtual disks – a substantial portion of content may be recoverable, though not always in a usable form.

Situations where recovery is very difficult or impossible

Complete encryption by a modern variant. If ransomware such as LockBit 3.0, BlackCat, Akira, or similar has completed encryption of all drives and deleted shadow copies, data cannot be recovered without the decryption key. No lab in the world can break properly implemented modern encryption – whether AES, ChaCha20, or another strong cipher. It's important for clients to hear this straight – promising miracles would be dishonest.

Backups were also encrypted. Professional ransomware groups deliberately seek out and encrypt backups – connected external drives, network backup storage, sometimes even cloud backups if the compromised system had access credentials. If everything including backups is encrypted, options are minimal.

Destructive variants (wipers). Some malware variants pose as ransomware but actually destroy data deliberately – overwriting file contents or entire drives. In such cases, it's not encryption but irreversible data destruction. Examples include certain variants linked to geopolitical conflicts.

What to do immediately after an attack

The right response in the first minutes and hours after discovering an attack can fundamentally affect the outcome. The following steps apply to both businesses and individuals.

Important: don't panic and don't make hasty decisions. Many of the damages we see in the lab were caused by panic reactions – not by the ransomware itself.

1. Disconnect the affected device from the network – but don't turn it off

Immediately disconnect the network cable and Wi-Fi. This prevents further spread of ransomware to other devices on the network. But if possible, don't turn the computer off. Encryption keys may be present in RAM (operational memory), which specialists can extract. Once the computer is turned off, these keys are irretrievably lost. However, if you don't have access to a specialist who can extract keys from RAM within hours, and there's a risk that the ransomware will continue encrypting, it's better to turn the computer off.

2. Document what you see

Photograph the screen with the ransom demand (ransom note). Record the extension that encrypted files have (e.g. .lockbit, .akira, .blackcat). Note the time you discovered the problem and what preceded it. This information is crucial for identifying the variant and determining the next steps.

3. Identify the ransomware variant

On the ID Ransomware website, you can upload the ransom note or a sample encrypted file and within seconds find out which variant you're dealing with. This information is essential – it determines whether a decryption tool exists, how the ransomware behaves, and what recovery options are available.

4. Check if a decryption tool exists

After identifying the variant, check:

If a tool exists, follow the included instructions. But be careful: using the wrong tool can damage your data. Make sure the tool matches your exact variant.

5. Don't delete ransom notes or encrypted files

The ransom note contains identifiers that may be needed for decryption. The encrypted files themselves are evidence and may be used in later analysis. If a decryption tool appears later (sometimes months after the attack, following law enforcement action), you'll need them.

6. Contact specialists

If no decryption tool exists and you don't have a working backup, contact a specialized firm. Ideally two: one focused on cybersecurity (incident response – breach analysis, evidence preservation, network security) and one on data recovery (analyzing the state of data on drives, searching for recoverable fragments). Don't hesitate to contact us – a free consultation will help you get oriented in your situation.

Mistakes that reduce or eliminate recovery chances

In our lab, we regularly see cases where the right approach could have led to successful data recovery – but an ill-advised intervention by the user or an IT service irreversibly worsened the situation.

Formatting the drive and reinstalling the system

The most common and most destructive mistake. The IT department or service reinstalls the operating system on the affected drive, overwriting a large portion of data – including potentially recoverable files, shadow copies, and file system structures that specialists need for reconstruction. If you need to get a system running, install it on a different drive. Leave the affected drive untouched.

Running CHKDSK or file system repair tools

CHKDSK (Windows) and fsck (Linux) are file system repair tools – not data recovery tools. In the context of a ransomware attack, these tools serve no purpose – the file system isn't "damaged," the data is encrypted. However, CHKDSK may detect inconsistencies between metadata and encrypted file contents and attempt to "repair" them – by rewriting MFT tables and allocation records, which can destroy structures needed for professional data reconstruction. With the /r parameter, it also reads the entire drive surface sector by sector, unnecessarily stressing the hardware. Simply put: don't run CHKDSK on a drive affected by ransomware.

Attempting decryption with the wrong tool

Using a decryption tool designed for a different ransomware variant can further damage your data. The tool will attempt to "decrypt" files with the wrong key, altering their contents and making later correct decryption impossible even with the right tool. Always verify the exact ransomware variant before running anything.

Deleting encrypted files

Users sometimes panic and delete encrypted files or ransom notes, thinking they're "cleaning" the system. But this means losing data that could later be decrypted – either with an existing tool or one created in the future after attackers are arrested or keys leak.

Delaying action

Time matters especially in cases where ransomware didn't complete encryption or where there's a chance to extract keys from memory. Each day of delay reduces the probability of saving data that would otherwise have been recoverable.

Pay the ransom? A realistic perspective

The general recommendation from security firms and law enforcement is clear: don't pay. And there are good reasons for this. Payment funds further attacks, motivates attackers to continue, and there's no guarantee you'll actually get your data back.

Statistics confirm this. According to a 2024 Cybereason study, approximately half of organizations that paid the ransom did not get their data back intact – they either received a non-functional decryption tool, decryption was only partially successful, or the attackers stopped communicating after payment. Sophos data from 2025 shows that of organizations whose data was encrypted, 49% paid the ransom – but overall 97% of organizations eventually recovered their data, in most cases from backups or through other means without paying.

On the other hand, it must be acknowledged that for a company facing existential data loss – accounting records, project documentation, customer databases – the decision is more complex than it appears from a theoretical perspective. We won't advise you to pay. But we strongly recommend that you exhaust all other options before making any decision to pay: backups, decryption tools, professional analysis of data on the drives.

In many cases we've handled, it turned out that data was at least partially recoverable – and the client didn't have to pay anything. Sometimes all it took was having someone who knows where and how to look examine the problem.

How we help at EXALAB

We're not a cybersecurity firm and we don't offer incident response in the sense of network security. Our work begins where security specialists' work ends – with the actual data on the drives.

Variant analysis and encryption scope assessment

The first step is always precise identification of the ransomware variant and assessment of the damage scope. We determine whether encryption was completed, whether a decryption tool exists, and whether there are recoverable unencrypted data fragments on the drives.

Working with raw data structures

Even on a drive where files are encrypted, recoverable data may exist. Previous file versions that weren't overwritten. Temporary copies created by applications. Shadow copies that the ransomware didn't manage to delete or failed to delete. Database transaction logs. Data in a RAID array where not all drives were equally affected. This is where our experience from daily work with data recovery from damaged media directly applies.

RAID and NAS data reconstruction

For affected network-attached storage (NAS) and disk arrays (RAID), the situation may be more favorable than it initially appears. Ransomware typically encrypts at the file system level – but raw data on individual drives in the array may be largely untouched. Through RAID array reconstruction and physical-level data analysis, it's sometimes possible to recover a significant portion of files.

Realistic expectation setting

We'll always tell you straight what the chances are. If modern ransomware completed full encryption and deleted shadow copies, we won't promise the impossible. We perform diagnostics free of charge – and if we determine that data cannot be recovered, we'll tell you without unnecessary delay. You don't pay for an unsuccessful attempt.

Prevention – what actually works

This article isn't primarily about prevention – specialized resources exist for that. Still, we'll mention a few points we consider most important from a data recovery perspective.

Backup separated from the network

The most effective defense against ransomware is a backup that the ransomware cannot reach. This means a backup on media that isn't permanently connected to the computer or network – a so-called offline or air-gapped backup. It could be an external drive that you connect only for the duration of the backup and then physically disconnect. Or a dedicated backup solution with immutable snapshots that cannot be overwritten or deleted for a specified period.

Synchronization is not backup

Cloud synchronization services (OneDrive, Google Drive, Dropbox) are not backup against ransomware. If ransomware encrypts files on your computer, the sync service will automatically upload the encrypted versions to the cloud, overwriting the originals. Some services offer file version history, which may help – but relying on this as your only protection is risky. Read more about proper backup practices in our article Data Backup.

Basic measures that significantly reduce risk

  • System and software updates – vulnerabilities in outdated software are the most common entry point for ransomware.
  • Multi-factor authentication (MFA) – especially for remote access (RDP, VPN), email accounts, and administrator accounts.
  • Email vigilance – phishing remains one of the main ways ransomware spreads. Don't click links or open attachments from unknown senders.
  • Network segmentation – separate backup infrastructure from the regular corporate network so that potential ransomware can't reach backups from a compromised computer.

Frequently asked questions – FAQ

Can ransomware be decrypted without paying the ransom?

It depends on the variant. For older or less sophisticated variants, free decryption tools exist – the No More Ransom project offers over 170. For modern variants with properly implemented encryption, data cannot be decrypted without the key. Even then, however, other recovery paths may exist – unencrypted fragments, shadow copies, RAID array data. These are exactly the options we evaluate during our free diagnostics.

Can EXALAB decrypt the data?

We don't break encryption. No lab in the world can break properly implemented modern encryption. What we can do is analyze the state of data on the drives and look for recovery paths outside the encrypted layer – shadow copies, previous file versions, unencrypted fragments, RAID array reconstruction. In many cases, this allows us to recover data that the client believed was irretrievably lost.

How do I identify which ransomware attacked me?

The quickest way is the ID Ransomware service, where you upload the ransom note or a sample encrypted file. The service identifies the variant within seconds and tells you whether a decryption tool exists. You can also look at the extension the ransomware added to encrypted files (e.g. .lockbit, .akira) – but note that some variants use random extensions.

Is data recovery from a ransomware-affected drive worthwhile?

Yes, but not in the sense of "breaking encryption." What's worthwhile is analyzing what remained unencrypted on the drive, or what the ransomware didn't manage to delete. If encryption didn't complete fully, if shadow copies survived, if it's a RAID array where not all drives are affected – in these cases professional data recovery makes sense. Our diagnostics are free and you'll learn what the realistic options are.

Does antivirus protect me from ransomware?

Quality antivirus software and EDR (Endpoint Detection and Response) tools significantly reduce the risk of infection. However, they can't guarantee 100% protection – especially against newly created variants not yet in databases. That's why antivirus is an important but not sole layer of protection. Regular backup to offline media is irreplaceable.

Need advice or help with data recovery after a ransomware attack? We perform diagnostics free of charge and without obligation. Contact us at +420 608 177 773 – we'll help you assess the situation and determine the realistic options for recovering your data.

Details
By Frantisek Fridrich
Frantisek Fridrich
Parent Category: Blog
Explanations and Tips