Norwich Data Recovery — Ransomware Decryption & Forensic Investigation

25 years’ experience delivering advanced ransomware attack data recovery and forensic investigation for laptops, desktops, external drives, workstations, NAS, and RAID servers. We handle encrypted files, partial encryption, and full system lockdowns across common families including WannaCry, LockBit, REvil/Sodinokibi, Conti, Phobos, STOP/Djvu, BlackCat/ALPHV, and many more.

Free diagnostics as standard and an optional Critical Service (typically 48 hours) for urgent incidents. We operate with chain-of-custody, evidence handling, and written methodologies suitable for insurer and legal review.

How We Work (Incident-Safe Workflow)

1. Contain & Preserve – We guide isolation (no reboots, no “cleanup”) and capture system state (volatile memory where possible), ransomware notes, samples, logs, and indicators.

2. Forensic Imaging First – Bit-level, read-only imaging of affected media and critical systems (including RAID/NAS members) for safe offline work.

3. Family Identification & Feasibility – Classify strain/variant, extension, note syntax, crypto primitives; check known decryptors/keys; assess partial-encryption patterns.

4. Parallel Tracks – (a) Decryption attempts (keys/weaknesses), (b) Data restoration from snapshots, journals, versioning, WALs, caches, and carved artefacts.

5. Validation & Handover – Hash-verify, sample-test, and deliver data via secure transfer. Optional forensic report, IOC set, and recovery recommendations.

Systems & File Systems

Windows / macOS / Linux, VMware/Hyper-V hosts, Synology/QNAP/TrueNAS.
NTFS, ReFS, APFS, HFS+, ext4, XFS, Btrfs, ZFS, LVM/MD RAID, Windows Storage Spaces, Apple Fusion, BitLocker, FileVault, LUKS/dm-crypt.

Top 40 Ransomware Decryption & Data-Recovery Techniques (Technical)

We use professional toolchains and controlled lab methods. Decryption is attempted only on images/clones—never on your original media.

Identification & Crypto Feasibility

1. Family/Variant Fingerprinting – Classify by file extension, ransom note grammar, mutexes, and dropped artefacts; map to known crypto (e.g., AES-CTR/CFB + RSA/EC keywrap).

2. Known Decryptor/Key Check – Query vetted key/decryptor repositories; test on copies; verify via per-file hash diffs to prevent silent corruption.

3. Partial-Encryption Pattern Mapping – Detect N-kilobyte chunking/head-tail encryption; salvage unencrypted interior blocks, reconstruct large files (PST/VHDX/DBs).

4. Keystream Reuse Detection (stream ciphers) – Identify nonce/IV reuse; recover plaintext via XOR of two ciphertexts when patterns permit.

5. Weak PRNG/Keygen Analysis – Audit entropy sources in captured sample; attempt keyspace pruning when time-seeded or flawed PRNGs are present.

6. Faulty RSA/EC Implementation Checks – Look for n/c parameter reuse, vulnerable padding, or side-channel artefacts; attempt partial key recovery where feasible.

7. Misused Crypto Libraries – Detect improper IVs, static salts, or predictable KDF parameters enabling dictionary attacks.

Key Discovery & Credential Paths

8. Memory Forensics for Keys – Live response or hibernation/swap analysis to extract in-RAM symmetric keys, KDF material, or DPAPI master keys (LSASS).

9. Keybag/DPAPI/EFS Artefacts – Use domain/backup keys to unlock DPAPI and EFS-protected content; chain to ransomware’s staging artefacts.

10. Malware Staging Directories – Recover temp keys/configs from %ProgramData%/AppData/TEMP on imaged systems; parse operator config blobs.

11. C2/Leak Site Intelligence – Correlate variant build-IDs with previously leaked master keys; validate legally obtained intelligence (no system access to threat infra).

12. Brokered Key Validation – If a client (via legal/insurer direction) obtains a decryptor/key, we test in a sandbox on a cloned set and verify integrity before any wider use.

Snapshot, Versioning & Replication Recovery

13. Volume Shadow Copy (VSS) Parsing – Low-level mount of VSS snapshots, including where deleted via vssadmin; parse copy-on-write blocks to recover prior versions.

14. Windows Previous Versions / System Restore – Harvest intact pre-encryption copies of user data; cross-check timestamps to avoid poisoned artefacts.

15. NAS Snapshots (Btrfs/ZFS/XFS) – Synology/QNAP/NetApp snapshots; clone LUNs read-only; rollback on clones, not production volumes.

16. ZFS/Btrfs Subvolume Rollbacks – Mount historic snapshots; export intact datasets; verify checksums against merkle/CS.

17. Cloud Drive Versioning – OneDrive/SharePoint/Google Drive/Dropbox API export of previous file versions; delta-merge verification.

18. Hypervisor Snapshots (VMware/Hyper-V) – Rebuild VM from snapshot/diff chain (VMDK/AVHDX); re-expose virtual disks for file-level export.

Journals, WALs & Low-Level Reconstruction

19. NTFS $LogFile / USN Journal (Change Journal) – Reconstruct overwritten metadata and file extents; roll back recent changes to pre-encryption states on clones.

20. MFT Mirror & Orphan Recovery – Rebuild $MFT from $MFTMirr; re-link orphaned records; carve resident/non-resident attributes.

21. ReFS Metadata & Integrity Streams – Salvage from object tables and block-clone references; exploit integrity streams where ransomware skipped metadata.

22. APFS Checkpoints & OMAP – Walk checkpoint superblocks; reconstruct volume object map; mount read-only and export.

23. HFS+ Catalog/Extents Trees – Rebuild B-trees and overflow; carve allocator patterns for partials.

24. ext4 Backup Superblocks & Journals – Recover inode tables and directory trees from backups/WAL; export to neutral media.

25. Database-Centric Recovery – Replay SQL Server/Oracle/PostgreSQL/MySQL logs/WAL; salvage consistent states even when .mdf/.ndf mainfiles were encrypted.

26. Email Store Rebuild – Exchange/EDB and Outlook PST/OST restoration using transaction logs and OST-PST conversion on pre-encryption copies.

27. Large Media/File Carving – Container-aware carving (MP4/MOV/MXF), moov/mdat index repair, and RAW (CR3/NEF/ARW) header rebuild.

RAID, NAS & Enterprise Storage

28. RAID Virtual Reconstruction – Image all members; detect order/stripe/offset/parity; build virtual array; export pre-encryption blocks from snapshots/replicas.

29. Storage Spaces/LVM/MD RAID – Rebuild logical volume maps; map back to physical images; avoid in-place imports that could trigger trims.

30. Object & Scale-Out Stores – Recover from S3-compatible versioning/WORM buckets and on-prem snapshots; bulk export via lifecycle tools.

31. Copy-on-Write Coalescing – Identify ranges that escaped encryption due to partial writes; stitch with journals to restore continuity.

Malware Behaviour & Partial Failures

32. Kill-Switch / Logic Errors – Some families skip paths, file types, or locked handles; enumerate exclusions to harvest intact data quickly.

33. Timeout/Crash Mid-Run – Identify half-encrypted files; combine clean segments with journal data to achieve working copies.

34. Extension/Rename-Only Variants – Detect fake-encryption campaigns; revert metadata and confirm byte-level integrity.

35. Sparse/Head-Tail Encryption Reversal – Regenerate missing headers/footers with format-aware synthesis (e.g., ZIP/Office PDFs) to restore usability.

Crypto Operations (When Keys Are Available)

36. Controlled Bulk Decryption – Run vendor/operator decryptors in an air-gapped lab on cloned datasets; sandbox, throttle, and checkpoint with per-file hashing.

37. Targeted Decryption First – Prioritise business-critical file types; validate each class (DBs/VMs/docs) before widening scope.

38. Integrity Assurance – Post-decrypt fix-ups (e.g., DB consistency checks, filesystem ACL/owner remediation) and cross-hash against backups.

Evidence, Reporting & Governance

39. Forensic Timeline & IOC Set – Produce machine/user timelines, persistence mechanisms, and lateral movement paths for IR teams and insurers.

40. Post-Incident Hardening – Backup immutability, least-privilege, patch cadence, MFA/RDP lockdown, and tested restore drills.

Important: Some modern strains use strong cryptography with per-victim keys held by the attacker. If no technical weakness, key exposure, or valid keys are available, decryption is not feasible. In those cases we maximise recovery from snapshots, versioning, journals, caches, partial encryption artefacts, and unaffected systems.

What We Need From You

• A copy of the ransom note, 2–3 sample encrypted files, and any decryptor received.

• Approximate encryption start time, systems affected, and any changes made since discovery.

• For shipping: place drives in anti-static bag, wrap in bubble wrap, and package in a padded envelope or small box with your contact details. You can post to us or drop off in person—we’ll confirm receipt and begin free diagnostics.

Why Norwich Data Recovery

• 25 years delivering forensic-grade data recovery and ransomware response

• Multi-vendor expertise across endpoints, NAS/RAID, virtualisation, and enterprise filesystems

• Advanced tooling (forensic imagers, hypervisor & snapshot parsers, database log replay, crypto analysis)

• Chain-of-custody documentation, insurer/legal-ready reporting

• Free diagnostics and an optional ~48-hour Critical Service (case-dependent)

Ready to Start?

Contact Norwich Data Recovery today for a free diagnostic.
Serving Norwich and nationwide. We’ll assess feasibility quickly and move on the fastest safe path to your data.