Ransomware Encrypted Your Files? Don't Pay Yet — There Are Other Routes.
UK ransomware data recovery specialists since 2002. Snapshot recovery, shadow copy restore, decryptor application, raw file carving. Strict no-payment-to-attacker policy. Free initial assessment. No-fix-no-fee.
What this means and what to do next
Ransomware in 2026 is a mature criminal industry. The dominant families — LockBit (in its various rebrands), BlackCat/ALPHV successors, Akira, Phobos, Royal, and the Conti-derived branches — each have predictable encryption patterns and predictable mistakes. Some encrypt only file content and leave metadata intact; some encrypt only the first N kilobytes of large files; some leave Volume Shadow Copies untouched, others delete them. The variant determines which recovery routes exist before any payment conversation should happen.
Data Clinic does not negotiate with attackers and does not handle ransom payments. What we do is the technical recovery work: identifying the variant, recovering whatever is recoverable without the decryptor, preserving evidence for incident response, and — where a public decryptor exists for the variant (No More Ransom Project, BitDefender, Kaspersky, ESET releases) — applying it correctly. For many strains the public decryptor exists but is poorly understood; misapplied decryptors corrupt files that would otherwise have decrypted cleanly.
The most important hour after a ransomware incident is the one immediately after detection. The decisions made then largely determine recovery outcomes. Common mistakes we see: rebooting infected machines (which can complete encryption that was still in progress), restoring backups onto still-infected machines (which gets re-encrypted), running standard antivirus on encrypted files (which sometimes quarantines the ransom notes and original encrypted files, destroying evidence), and reformatting and reinstalling Windows on the affected device (which destroys the shadow copies and journal data that recovery often depends on).
The four main ransomware recovery routes — and when each applies
1. Volume Shadow Copy recovery (Windows). Many ransomware variants attempt to delete Volume Shadow Copies (VSS) using vssadmin or PowerShell. They are not always successful — particularly on Server editions, on volumes the attacker did not have admin on, or where the variant's deletion script failed. If shadow copies survive, the original unencrypted files can often be extracted from them directly. The technical work is in mounting the shadow copies forensically (the VSS service on the live infected machine may be unstable) and identifying which copies are pre-encryption. This is the highest-yield route when it applies — sometimes recovering 100% of the data in hours, no decryptor needed.
2. Snapshot recovery on the storage layer (NAS, SAN, virtual). If the affected files lived on a Synology, QNAP, NetApp, VMware vSAN, or any platform with storage-layer snapshots, ransomware running at the file-system layer cannot reach those snapshots. They are read-only and exist outside the attacker's reach. Recovery is then a matter of mounting the latest pre-encryption snapshot read-only and copying the data out. This is the easiest recovery route when it applies; the work is mostly identifying that snapshots exist (many customers do not realise they have them) and getting access to them safely.
3. Public decryptor application. Several ransomware families have had their decryption keys leaked, recovered by law enforcement, or broken cryptographically — and free decryptors are published, most centrally at nomoreransom.org. Variants with current public decryptors include parts of LockBit (via the 2024 operation), some Akira variants, multiple Phobos branches, and many older strains. Identifying the variant accurately is the critical step — running the wrong decryptor against your files will fail at best and corrupt them at worst. We identify the variant from the ransom note, file extension, and a sample of encrypted files; if a decryptor exists, we apply it in our lab against an image of your data (never against the live data).
4. Raw file carving from the unencrypted slack space. Some ransomware variants encrypt only the first 1MB or 1MB+1% of each file (to encrypt faster). For large files — videos, databases, virtual disk images, design files — most of the data on disk is still unencrypted. We can carve the unencrypted body of those files using forensic tools, then reconstruct the file headers from defaults. This is partial recovery, not full, but for media files and some database formats it is enough to recover the working content. Variants where this applies include many of the 'fast' ransomware families that prioritise speed over thoroughness.
How Data Clinic handles a ransomware recovery
Step one is a confidential phone call. We will ask which systems are affected, what variant has been identified (or we will help identify it from a sample of the ransom note and a few encrypted file names), whether your backups are intact, whether you have Volume Shadow Copies on Windows systems, and whether the storage layer (NAS, SAN, virtual) supports snapshots. We will also ask whether the attacker has made contact and what the ransom demand is — we do not handle payments, but the context affects how we sequence the work.
Step two is to take forensic images of the affected systems before anything else is done. This preserves the original state in case our first recovery approach fails and we need to try another, and it gives your incident response or insurer's incident response team a clean copy to work with. We do not touch the live systems while imaging — recovery work happens against the images, in our isolated lab environment.
Step three is the recovery itself, working through the routes above in order of yield. Shadow copies first (when applicable), storage snapshots next, public decryptors third, file carving last. Recovered data is delivered on a fresh sterile drive — never back onto the original infected media. We provide a written report covering the variant identified, the recovery routes attempted, the percentage of data recovered, and any forensic indicators that may be useful to your incident response team or insurer. More on our hard drive data recovery service →.
Get a free initial diagnosis in 60 seconds
In the tool below, choose Files lost or inaccessible and then ransomware / encrypted by malware. The tool routes ransomware cases straight to our incident response team — separate from standard hardware recovery.
What our customers say
"Three years of family photos on a drive that suddenly failed. Data Clinic collected next day, kept me updated through the cleanroom work, and got everything back. Worth every penny."
"Honest, fixed-price, no-fix-no-fee. Quoted by another lab at three times the price. Recovered 100% of my files."
"Reasonable cost, clear communication, and they were straight with me about what was recoverable and what wasn't. Recommended."
Frequently asked questions
Will paying the ransom decrypt my files?
Sometimes yes, often no. Even with payment, attacker-supplied decryptors are notoriously buggy: they crash, they fail on large files, they decrypt some files but not others, and they sometimes never arrive at all despite payment. UK law enforcement (NCSC) and the ICO both advise against payment. Beyond the ethical and legal questions, the practical question is: have you exhausted the no-payment recovery routes first? Most organisations have at least one viable route they have not tried.
Is paying the ransom legal in the UK?
Payment is not currently illegal in the UK in most circumstances, but it can become illegal if the attacker is on a sanctions list — and many active ransomware groups have known links to sanctioned entities. UK Treasury sanctions enforcement applies regardless of intent. The Office of Financial Sanctions Implementation (OFSI) treats ransom payments as potential breaches and has issued guidance. Any ransom payment should be reviewed by counsel before it is made; many incident response insurers will not cover a payment without sanctions clearance.
Can you decrypt LockBit, BlackCat, Akira, or Phobos files?
Some of them, some of the time, depending on the variant. The LockBit operation in 2024 produced decryption keys that are now in public decryptors for some LockBit variants — but not all. Akira has had partial decryptor releases for older variants. Phobos has multiple branches and some are decryptable. BlackCat/ALPHV is mostly not decryptable without the attacker's key. The first step is variant identification — once we know which exact variant, we know which routes are available. Send a sample to us and we will tell you within 24 hours.
My backups got encrypted too. What now?
This is increasingly common — modern ransomware specifically targets backup repositories. The recovery routes are still: shadow copies on individual workstations, storage-layer snapshots (which are sometimes immune even when the backups are not, because they live on a different layer), and the no-payment routes above against forensic images. Cloud backup providers often retain pre-encryption versions for 30–90 days even after the visible copy is encrypted — we will help you contact your provider to retrieve them.
Should I report the incident to the ICO or NCSC?
Yes for the ICO if any personal data has been compromised — UK GDPR requires notification within 72 hours of becoming aware of a breach, and ransomware is a breach by default because of the integrity and availability impact even when no exfiltration occurred. Yes for the NCSC for visibility and free incident response support; reporting is voluntary but the NCSC's response service is high quality and free to UK businesses. We provide reports suitable for both ICO submission and NCSC briefing.
How much does ransomware recovery cost?
It varies dramatically by case. Volume Shadow Copy recovery on a single workstation may be a few hundred pounds. Full enterprise recovery — multiple servers, file shares, virtual disks, with decryptor work — can run into five figures. We give a fixed-fee quote after the initial assessment, which is free and confidential. No fee if we cannot recover useful amounts of data.