Not every attack arrives with a ransom note. Malware hides files, corrupts whatever it touches, and often enough the cleanup does more damage than the infection — antivirus quarantines swallowing documents, panicked resets wiping drives, ‘fixes’ that fixed the data away. This service recovers what the infection and its aftermath left behind.
$ ldr mount /dev/md0 → Device: HP RAID 10 (4 × SAS) → Status: RANSOMWARE — volume encrypted → Client: confidential · York $ ldr array-rebuild → Array: isolated from network → Members: forensically imaged → Decryption: known strain · unlocked $ ldr verify → ✓ business_data — 98% restored → ✓ ransom — £0 paid → ✓ operations — resumed
Beyond encryption (which has its own page), infections hurt files four ways. Hiding: whole folders flipped to hidden-and-system — the USB-stick classic where everything ‘vanishes’ but nothing left. Corruption: injectors and wipers damaging what they touched, from Office macros to boot structures. Deletion: destructive strains, or the malware clearing tracks. And collateral: the biggest category — quarantine folders holding your files hostage, system restores rolling back your documents, factory resets applied in fright. Rule for right now: once you suspect infection and data matters, stop cleaning and start preserving — image first, disinfect after. Cleanup on the only copy is where recoverable becomes gone.
Infected media is treated as infected: imaged on isolated systems, never booted, with every recovery step running on copies while the original stays quarantined. Recovered files are checked before return — you get your documents back, not the passenger that came with them — and we’ll flag what the infection actually was when it’s identifiable, which often answers the ‘how did this happen’ question. If the machine still runs and you’re mid-panic: power it off at the button, nothing more. Everything after that point goes better on the bench.
Usually, yes. Quarantine is containment rather than destruction — the files are moved and encoded, not erased. Recovery extracts them, verifies they're your documents rather than droppers, and returns them clean. Bring the machine or drive before any 'purge quarantine' housekeeping runs.
Textbook case: a worm has flipped your folders to hidden, often leaving shortcut decoys in their place. The data is still there. Recovery unhides and cleans it properly — resist the urge to click the shortcuts, which is how the worm boards your machine too.
It depends what the reset actually did. Many ‘remove everything’ resets amount to a quick format plus a reinstall, which leaves the old data partly recoverable underneath. Stop using the machine immediately — every update it downloads lands on your documents — and let the diagnostic map what survived.