Encrypted files, a note demanding cryptocurrency, a countdown clock — ransomware is engineered panic, and panic is exactly what the attacker is counting on. The answer is method, not haste: isolate what’s infected, pay nobody, and let a systematic recovery establish what can come back without funding the next attack. Our own bench runs that method for homes and businesses across Yorkshire.
$ ldr mount /dev/md0 → Device: HP RAID 10 (4 × SAS) → Status: RANSOMWARE — volume encrypted → Client: confidential · York $ ldr array-rebuild → Array: isolated from network → Members: forensically imaged → Decryption: known strain · unlocked $ ldr verify → ✓ business_data — 98% restored → ✓ ransom — £0 paid → ✓ operations — resumed
Disconnect infected machines from network and internet — ransomware spreads to every share and drive it can reach, and NAS boxes are prime targets. Don’t wipe, don’t ‘clean up’, don’t reinstall — the encrypted files, the note and the malware itself are all evidence the recovery needs. Don’t pay: payment funds the industry, marks you as a payer, and returns working decryption far less reliably than the note promises. Report it — Police Yorkshire on 101 and the NCSC take these seriously — then get the affected media to the bench, powered off, for assessment.
Getting files back after ransomware is layered work, and they rarely come from one place. First, identification: the note, the file extensions and a few samples tell us the strain, and where researchers have already broken it a free decryptor exists — that happens far more often than the attackers would like you to know. Then what the encryption missed: interrupted runs, skipped folders, files that were open or in awkward locations, whole file types the malware simply ignored. Then shadow copies and snapshots, which the sloppier strains fail to purge. Then deleted originals — most variants encrypt a copy and delete your file, which quietly makes this partly a deleted-file recovery, run against a hostile clock. And finally backup archaeology: the archive everyone had written off is often more intact than feared. It is unglamorous, methodical work, and it is how the files come back without a penny reaching the attacker.
Our advice is firm: don’t. Payment is unreliable — broken decryptors, partial keys and repeat extortion are all common — it funds the next attack, and it can raise legal issues depending who's behind the strain. Let assessment establish what recovers without paying — frequently more than the panic suggests.
Often, yes — and a NAS actually gives us more to work with: snapshots the strain failed to purge, and deleted originals sitting in the free space on the volumes. Power it down, resist the urge to factory-reset it, and send the labelled disks. NAS-targeted strains are a bench staple now.
Yes — identification from the note, extensions and samples is step one, checked against current decryptor availability. When a decryptor exists we use it as part of the job; when it doesn't, the other recovery strata still apply. Either way you know before spending.