{"id":4309,"date":"2018-06-25T22:50:38","date_gmt":"2018-06-26T02:50:38","guid":{"rendered":"https:\/\/www.digitalforensics.com\/blog\/?p=4309"},"modified":"2025-04-09T21:07:09","modified_gmt":"2025-04-09T21:07:09","slug":"data-recovery-after-ransomware-that-encrypts-files","status":"publish","type":"post","link":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/","title":{"rendered":"Data recovery after ransomware that encrypts files"},"content":{"rendered":"\n<p>The problem of <a href=\"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery\/\">data recovery<\/a> after ransomware that encrypts files has increased, with more and more cases recently. Help in these cases is not a trivial task.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-challenges-in-data-recovery-for-ransomware-encrypted-files\"><span class=\"ez-toc-section\" id=\"Challenges_in_Data_Recovery_for_Ransomware_Encrypted_Files\"><\/span>Challenges in Data Recovery for Ransomware Encrypted Files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u00a0Let\u2019s consider some sides of this problem. Ransomware usually encrypts the most-used data such as photos, videos, office files, databases, et\u0441. Ransomwares can give different extensions to encrypted data; they are considered as a same mechanism that uses similar algorithms.<\/p>\n\n\n\n<p><!--more--><\/p>\n\n\n\n<p>Files are encrypted with cryptographic algorithms. Keys consists of a public key and a private key. The public key is generated on the victim\u2019s PC, while the private key is kept in secret and only the fraud perpetrator knows it. The combination of public key with private key is special for each case. It\u2019s impossible to decrypt data without a private key. Solutions offered by well-known anti-virus developers are likely to focus on selection of the private part of the key, by brute force or special heuristic analysis.<\/p>\n\n\n\n<p>\u00a0We haven\u2019t faced a practical experience of payment to obtain decoder software, but our customers state they had such experiences. Let\u2019s drop the moral side of this problem, such as whether to pay or not to pay. It\u2019s obvious there\u2019s no need to encourage malicious users, but everyone has their own view as to the importance of data.<\/p>\n\n\n\n<p>\u00a0However, there have been cases of partial decryption of files. Each case was special. Success is possible only if ransomware encrypts not a whole file, but only part. Such an attitude from the hacker has a logical explanation. As data volume increases, time to encrypt files increases, so the risk to be discovered increases as well. That\u2019s why we think only an important part of the data is encrypted, rather than all of it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-practical-case-recovering-data-from-ransomware-encrypted-files\"><span class=\"ez-toc-section\" id=\"Practical_Case_Recovering_Data_from_Ransomware_Encrypted_Files\"><\/span>Practical Case: Recovering Data from Ransomware Encrypted Files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Here\u2019s a practical case. A ransomware encrypted the beginning of the file, some fragments in small size in the body of the file and added its technical information at the end of the file. We faced some tasks on this step:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>to determine a correct end of the file, carve ransomware\u2019s addition;<\/li>\n\n\n\n<li>to determine the size of damaged header;<\/li>\n\n\n\n<li>to determine the location and size of encrypted fragments in the body of the file.<\/li>\n<\/ul>\n\n\n\n<p>\u00a0The solution with end of the file was simple.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"670\" height=\"666\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1.jpg\" alt=\"\" class=\"wp-image-4303\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1.jpg 670w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-150x150.jpg 150w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-300x298.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-148x148.jpg 148w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-512x509.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-16x16.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-32x32.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-28x28.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-56x56.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure1-64x64.jpg 64w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\" \/><\/figure>\n<\/div>\n\n\n<p>\u00a0It was more complicated with the header because it\u2019s often special. It\u2019s possible to replace it with another one with little change from a similar correct file. In our case, the file headers were changed using XOR and modifying some bytes.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"666\" height=\"671\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2.jpg\" alt=\"\" class=\"wp-image-4304\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2.jpg 666w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-150x150.jpg 150w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-298x300.jpg 298w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-148x148.jpg 148w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-512x516.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-16x16.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-32x32.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-28x28.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-56x56.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure2-64x64.jpg 64w\" sizes=\"auto, (max-width: 666px) 100vw, 666px\" \/><\/figure>\n<\/div>\n\n\n<p>\u00a0We couldn\u2019t find the solution with encrypted areas in the file. The private part of the key is unknown, data is unique so it\u2019s impossible to match it. We made the software that automates the process of correcting the beginning of the file and end of the file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"648\" height=\"861\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3.jpg\" alt=\"\" class=\"wp-image-4305\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3.jpg 648w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-226x300.jpg 226w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-512x680.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-12x16.jpg 12w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-24x32.jpg 24w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-21x28.jpg 21w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-42x56.jpg 42w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure3-48x64.jpg 48w\" sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/figure>\n<\/div>\n\n\n<p>\u00a0We got correct video with some artifacts and correct or partly correct office files. The main fail was with JPEG files. Information was compressed so even little damage leads to the damage of the whole file.<\/p>\n\n\n\n<p>\u00a0We made the next algorithm. Considering the location of encrypted data is known, we can define the line in the photo where there\u2019s a damaged fragment and replace it with the previous line or the next one.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"607\" height=\"859\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1.jpg\" alt=\"\" class=\"wp-image-4311\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1.jpg 607w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-212x300.jpg 212w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-512x725.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-11x16.jpg 11w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-23x32.jpg 23w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-20x28.jpg 20w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-40x56.jpg 40w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure4-1-45x64.jpg 45w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/figure>\n<\/div>\n\n\n<p>\u00a0The substitution usually was invisible, but sometimes we got curious photos. Such approach let us recover some photos to an acceptable level.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"533\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5.jpg\" alt=\"\" class=\"wp-image-4307\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5.jpg 800w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-300x200.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-768x512.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-512x341.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-16x11.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-32x21.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-28x19.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-56x37.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure5-64x43.jpg 64w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"533\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6.jpg\" alt=\"\" class=\"wp-image-4308\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6.jpg 800w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-300x200.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-768x512.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-512x341.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-16x11.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-32x21.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-28x19.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-56x37.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure6-64x43.jpg 64w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n\n\n<p>\u00a0Need to admit there\u2019s one more approach of data recovery. It\u2019s a search among the deleted files and analysis of free space.<\/p>\n\n\n\n<p>\u00a0Let\u2019s draw the conclusion. If a ransomware encrypted your files, it\u2019s not always a \u201csentence.\u201d<\/p>\n\n\n\n<p>\u00a0<strong>Just don\u2019t give up!<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-faq\"><span class=\"ez-toc-section\" id=\"FAQ\"><\/span>FAQ<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-are-the-files-encrypted-or-a-whole-partition\"><span class=\"ez-toc-section\" id=\"Are_the_files_encrypted_or_a_whole_partition\"><\/span>Are the files encrypted or a whole partition?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>We have had both cases in our experience.<br>If files are encrypted, we recommend you recover data from FreeSpace partition (ransomware usually misses this area).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-why-will-it-succeed\"><span class=\"ez-toc-section\" id=\"Why_will_it_succeed\"><\/span>Why will it succeed?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Data copies could be deleted, moved or create temporary files. So it\u2019s necessary to make analysis.<br>It\u2019s a difficult case when a partition is entirely encrypted. In the future it will occur rarely.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-why-do-we-think-so\"><span class=\"ez-toc-section\" id=\"Why_do_we_think_so\"><\/span>Why do we think so?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The volume of storage devices increases. As a result, time spent for encryption will increase as well. This will make it more difficult for hackers to achieve their goals.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-is-it-possible-to-recover-data-if-a-whole-partition-is-encrypted\"><span class=\"ez-toc-section\" id=\"Is_it_possible_to_recover_data_if_a_whole_partition_is_encrypted\"><\/span>Is it possible to recover data if a whole partition is encrypted?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>If the algorithm of encryption is cryptographic and the key is unknown, we won\u2019t be able to help.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-can-you-determine-whether-an-algorithm-is-cryptographical-or-not\"><span class=\"ez-toc-section\" id=\"How_can_you_determine_whether_an_algorithm_is_cryptographical_or_not\"><\/span>How can you determine whether an algorithm is cryptographical or not?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Usually the algorithm of encryption is unknown. So it\u2019s difficult to give a definitive answer. There\u2019s a choice to search markers.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"771\" height=\"689\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2.jpg\" alt=\"A data scan of ransomware data recovery. \" class=\"wp-image-4406\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2.jpg 771w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-300x268.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-768x686.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-512x458.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-16x14.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-32x29.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-28x25.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-56x50.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-64x57.jpg 64w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-1-ransomware2-68x60.jpg 68w\" sizes=\"auto, (max-width: 771px) 100vw, 771px\" \/><\/figure>\n<\/div>\n\n\n<p>In this case, we define XOR with some additions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-to-determine-xor-is-used\"><span class=\"ez-toc-section\" id=\"How_to_determine_XOR_is_used\"><\/span>How to determine XOR is used?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>It\u2019s necessary to take two or three files of same type and compare them. The presence of coinciding parts and further analysis will let us make a conclusion about the algorithm used.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"776\" height=\"874\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2.jpg\" alt=\"\" class=\"wp-image-4407\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2.jpg 776w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-266x300.jpg 266w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-768x865.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-512x577.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-14x16.jpg 14w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-28x32.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-25x28.jpg 25w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-50x56.jpg 50w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-2-ransomware2-57x64.jpg 57w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"h-a-frauder-sent-the-name-of-algorithm-of-encryption-in-a-text-file-will-it-help-to-decrypt\"><span class=\"ez-toc-section\" id=\"A_frauder_sent_the_name_of_algorithm_of_encryption_in_a_text_file_Will_it_help_to_decrypt\"><\/span>A frauder sent the name of algorithm of encryption in a text file. Will it help to decrypt?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"435\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2.jpg\" alt=\"\" class=\"wp-image-4408\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2.jpg 800w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-300x163.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-768x418.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-512x278.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-16x9.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-32x17.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-28x15.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-56x30.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-3-ransomware2-64x35.jpg 64w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n\n\n<p>It\u2019s difficult to answer. There are many variations of cryptographic algorithms. The task of key search is the most important.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-i-know-a-new-extension-of-files-that-ransomware-created-will-it-help\"><span class=\"ez-toc-section\" id=\"I_know_a_new_extension_of_files_that_ransomware_created_Will_it_help\"><\/span>I know a new extension of files that ransomware created. Will it help?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>It\u2019s not important what kind of extension it is. There are many options, but they systematize poorly. Most important is what is inside the file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"331\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2.jpg\" alt=\"\" class=\"wp-image-4409\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2.jpg 643w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-300x154.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-512x264.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-16x8.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-32x16.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-28x14.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-56x29.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-4-ransomware2-64x33.jpg 64w\" sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-can-you-find-the-encryption-key\"><span class=\"ez-toc-section\" id=\"How_can_you_find_the_encryption_key\"><\/span>How can you find the encryption key?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>It\u2019s a direct key brute-force or heuristic analysis. But there are few chances.<br>If there\u2019s ransomware (for example, an email with an infected file), it\u2019s possible to make a test case with prepared PC with a huge volume of data (we need to buy some time). Run a ransomware. While it\u2019s encrypting data, we make some dumps of RAM in short intervals. Compare them and seek patterns.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-have-you-succeeded-in-key-searching-with-the-help-of-ram-dumps\"><span class=\"ez-toc-section\" id=\"Have_you_succeeded_in_key_searching_with_the_help_of_RAM_dumps\"><\/span>Have you succeeded in key searching with the help of RAM dumps?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Not yet. It\u2019s just a hypothesis. We can\u2019t check it because users are not ready to pay for such expensive work.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-so-when-is-it-possible-to-help-if-a-virus-has-encrypted-data\"><span class=\"ez-toc-section\" id=\"So_when_is_it_possible_to_help_if_a_virus_has_encrypted_data\"><\/span>So when is it possible to help if a virus has encrypted data?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>It\u2019s possible if files are not entirely encrypted.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"769\" height=\"900\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2.jpg\" alt=\"\" class=\"wp-image-4410\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2.jpg 769w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-256x300.jpg 256w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-768x899.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-512x599.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-14x16.jpg 14w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-27x32.jpg 27w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-24x28.jpg 24w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-48x56.jpg 48w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-5-ransomware2-55x64.jpg 55w\" sizes=\"auto, (max-width: 769px) 100vw, 769px\" \/><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-can-you-determine-that\"><span class=\"ez-toc-section\" id=\"How_can_you_determine_that\"><\/span>How can you determine that?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>You need to find an unencrypted copy of an encrypted file (on another device, for example) and compare them. This procedure should be repeated on some examples. It\u2019s necessary to determine the length and location of encrypted areas better.<br>If there\u2019s no coincidence, file will be entirely encrypted. The only decision is a key search (vide supra).<br>If there\u2019s coincidence, part of the user\u2019s data is not encrypted.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-what-size-of-file-should-be-taken-for-comparison\"><span class=\"ez-toc-section\" id=\"What_size_of_file_should_be_taken_for_comparison\"><\/span>What size of file should be taken for comparison?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The more the better. A file\u2019s size has to be more than 10 MB. One of the versions of well-known Petya (NotPetya) encryptor had encrypted only the first MB of data. Files of up to 1 MB were entirely encrypted. Files of more than 1 MB were partly recovered. Look at the fifth&nbsp;figure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-can-you-recover-data-if-a-file-is-not-entirely-encrypted\"><span class=\"ez-toc-section\" id=\"How_can_you_recover_data_if_a_file_is_not_entirely_encrypted\"><\/span>How can you recover data if a file is not entirely encrypted?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>There\u2019s no single algorithm for the problem. Everything depends on data file type, length and location of encrypted areas. It\u2019s a creative work for data recovery specialists.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-what-do-you-do-when-you-get-a-case-with-ransomware\"><span class=\"ez-toc-section\" id=\"What_do_you_do_when_you_get_a_case_with_ransomware\"><\/span>What do you do when you get a case with ransomware?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The algorithm we follow:<\/p>\n\n\n\n<p>to check FreeSpace area<br>to investigate the ransomware<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>we open uncompressed files, for example doc, xls (don\u2019t confuse with docx, xlsx). If you don\u2019t have a correct header of a file, so this file is possibly encrypted<\/li>\n\n\n\n<li>we search a code 0x00000000 (for example). Such code is often used in uncompressed files and it\u2019s not used in encrypted fragment.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"781\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2.jpg\" alt=\"\" class=\"wp-image-4411\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2.jpg 777w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-150x150.jpg 150w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-298x300.jpg 298w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-768x772.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-148x148.jpg 148w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-512x515.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-16x16.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-32x32.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-28x28.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-56x56.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-6-ransomware2-64x64.jpg 64w\" sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>we ask the customer to provide unencrypted copies of encrypted files from another PC, if possible<\/li>\n\n\n\n<li>compare them and define the areas of encryption<\/li>\n\n\n\n<li>in this example at 6th pic ransomware encrypts with blocks 8192 bytes in size.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Encryptarea<\/td><td>Unchanged area<\/td><td>Encryptarea<\/td><td>Unchanged area<\/td><td>Encryptarea<\/td><td>Unchanged area<\/td><td>\u2026<\/td><td>ID keyransomware<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"1043\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1.jpg\" alt=\"\" class=\"wp-image-4416\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1.jpg 800w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-230x300.jpg 230w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-768x1001.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-785x1024.jpg 785w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-512x668.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-12x16.jpg 12w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-25x32.jpg 25w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-21x28.jpg 21w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-43x56.jpg 43w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-7-ransomware2-1-49x64.jpg 49w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"776\" height=\"676\" src=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2.jpg\" alt=\"\" class=\"wp-image-4413\" srcset=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2.jpg 776w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-300x261.jpg 300w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-768x669.jpg 768w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-512x446.jpg 512w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-16x14.jpg 16w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-32x28.jpg 32w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-28x24.jpg 28w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-56x49.jpg 56w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-64x56.jpg 64w, https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/09\/Figure-8-ransomware2-68x60.jpg 68w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/figure>\n<\/div>\n\n\n<p>We try to decrypt using various combinations of ID key ransomware and known algorithms of encryption (AES 256, for example). We know that there are a few chances but let\u2019s try.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>we suggest RAM investigation if there\u2019s ransomware;<\/li>\n\n\n\n<li>we define more exactly what kind of data should be recovered and whether partial data recovery will help the customer;<\/li>\n\n\n\n<li>we suggest an individual solution depending on a file type.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-about-the-author-0\"><span class=\"ez-toc-section\" id=\"About_the_author\"><\/span>About the author<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Andrey Fedorov is co-owner of 512 BYTE company, the specialist in data recovery, software development for data recovery and forensic analysis. He has more than 15 years of experience in this field.<\/p>\n\n\n\n<p>LinkedIn:<\/p>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/in\/andrey-fedorov-166368106\">https:\/\/www.linkedin.com\/in\/andrey-fedorov-166368106<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"The problem of data recovery after ransomware that encrypts files has increased, with more and more cases recently.&hellip;","protected":false},"author":126,"featured_media":4302,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"csco_display_header_overlay":false,"csco_singular_sidebar":"","csco_page_header_type":"","footnotes":""},"categories":[6],"tags":[],"class_list":{"0":"post-4309","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-software","8":"cs-entry"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.6 (Yoast SEO v27.5) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Can You Recover Data After A Ransomware Attack?<\/title>\n<meta name=\"description\" content=\"Learn how to recover data after ransomware encrypts your files. Discover expert tips on file decryption, backup strategies, and professional recovery services to regain access to your critical data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data recovery after ransomware that encrypts files\" \/>\n<meta property=\"og:description\" content=\"Learn how to recover data after ransomware encrypts your files. Discover expert tips on file decryption, backup strategies, and professional recovery services to regain access to your critical data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/\" \/>\n<meta property=\"og:site_name\" content=\"Resources for Sextortion and Online Blackmail Victims\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/DigitalForensicsCorp\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-26T02:50:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-09T21:07:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure0.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"480\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Viktor Sobiecki\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ForensicsCorp\" \/>\n<meta name=\"twitter:site\" content=\"@ForensicsCorp\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Viktor Sobiecki\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/\"},\"author\":{\"name\":\"Viktor Sobiecki\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#\\\/schema\\\/person\\\/db7b63895c111dc8ed48df38d20b84ce\"},\"headline\":\"Data recovery after ransomware that encrypts files\",\"datePublished\":\"2018-06-26T02:50:38+00:00\",\"dateModified\":\"2025-04-09T21:07:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/\"},\"wordCount\":1484,\"publisher\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/Figure0.png\",\"articleSection\":[\"Cybersecurity Tips, Services, and Key Resources for Cybercrime Victims\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/\",\"name\":\"Can You Recover Data After A Ransomware Attack?\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/Figure0.png\",\"datePublished\":\"2018-06-26T02:50:38+00:00\",\"dateModified\":\"2025-04-09T21:07:09+00:00\",\"description\":\"Learn how to recover data after ransomware encrypts your files. Discover expert tips on file decryption, backup strategies, and professional recovery services to regain access to your critical data.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/Figure0.png\",\"contentUrl\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/Figure0.png\",\"width\":800,\"height\":480},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/data-recovery-after-ransomware-that-encrypts-files\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Tips, Services, and Key Resources for Cybercrime Victims\",\"item\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/software\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Data recovery after ransomware that encrypts files\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/\",\"name\":\"Resources for Sextortion and Online Blackmail Victims\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#organization\",\"name\":\"Digital Defense Hub: Resources for Sextortion and Online Blackmail Victims\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/df-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/df-logo.png\",\"width\":393,\"height\":343,\"caption\":\"Digital Defense Hub: Resources for Sextortion and Online Blackmail Victims\"},\"image\":{\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/DigitalForensicsCorp\\\/\",\"https:\\\/\\\/x.com\\\/ForensicsCorp\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/#\\\/schema\\\/person\\\/db7b63895c111dc8ed48df38d20b84ce\",\"name\":\"Viktor Sobiecki\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/viktor-sobiecki_avatar-96x96.jpg\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/viktor-sobiecki_avatar-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/viktor-sobiecki_avatar-96x96.jpg\",\"caption\":\"Viktor Sobiecki\"},\"description\":\"Dr. Viktor Sobiecki currently serves as the Chief Technology Officer (CTO) at Digital Forensics Corporation, where responsibilities span the leadership of advanced cybersecurity initiatives, data breach incident responses, and corporate strategic planning. Professional career has been driven by the intersection of innovation and practical application, particularly in the domains of cybersecurity and cyber crime investigations. He holds a Ph.D. in Computer Science and has contributed extensively to academic and industry advancements through publications, patents, and technological solutions addressing complex real-world challenges. As a professional with over 25 years of experience in the fields of cybersecurity, artificial intelligence, and digital forensics his career spans roles in academic research, software development, corporate leadership, and expert consulting, giving me a comprehensive understanding of the technical, strategic, and practical dimensions of projects. Expertise spans a wide range of technical domains, including: \u2022 Data Breach Incident Response: Managing immediate responses to cybersecurity crises, including the containment and mitigation of threats \u2022 Corporate Strategy Development: Designing long-term strategies to enhance organizational resilience against emerging cyber threats. \u2022 Expert Testimony: Providing legal and technical expertise in high-profile cybersecurity cases. \u2022 Artificial Intelligence and Machine Learning: Designing and implementing algorithms for data analysis, pattern recognition, and anomaly detection. \u2022 Network Security and Data Integrity: Developing solutions to protect critical systems from cyber threats, including encryption protocols and intrusion detection systems. \u2022 Cloud Computing and Hybrid Infrastructures: Creating scalable, resilient architectures for data storage, processing, and security.\",\"sameAs\":[\"https:\\\/\\\/www.digitalforensics.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/viktor-sobiecki\\\/\"],\"honorificPrefix\":\"Dr\",\"jobTitle\":\"Chief Technology Officer (CTO)\",\"worksFor\":\"Digital Forensics Corporation\",\"url\":\"https:\\\/\\\/www.digitalforensics.com\\\/blog\\\/author\\\/visor\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Can You Recover Data After A Ransomware Attack?","description":"Learn how to recover data after ransomware encrypts your files. Discover expert tips on file decryption, backup strategies, and professional recovery services to regain access to your critical data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/","og_locale":"en_US","og_type":"article","og_title":"Data recovery after ransomware that encrypts files","og_description":"Learn how to recover data after ransomware encrypts your files. Discover expert tips on file decryption, backup strategies, and professional recovery services to regain access to your critical data.","og_url":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/","og_site_name":"Resources for Sextortion and Online Blackmail Victims","article_publisher":"https:\/\/www.facebook.com\/DigitalForensicsCorp\/","article_published_time":"2018-06-26T02:50:38+00:00","article_modified_time":"2025-04-09T21:07:09+00:00","og_image":[{"width":800,"height":480,"url":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure0.png","type":"image\/png"}],"author":"Viktor Sobiecki","twitter_card":"summary_large_image","twitter_creator":"@ForensicsCorp","twitter_site":"@ForensicsCorp","twitter_misc":{"Written by":"Viktor Sobiecki","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#article","isPartOf":{"@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/"},"author":{"name":"Viktor Sobiecki","@id":"https:\/\/www.digitalforensics.com\/blog\/#\/schema\/person\/db7b63895c111dc8ed48df38d20b84ce"},"headline":"Data recovery after ransomware that encrypts files","datePublished":"2018-06-26T02:50:38+00:00","dateModified":"2025-04-09T21:07:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/"},"wordCount":1484,"publisher":{"@id":"https:\/\/www.digitalforensics.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#primaryimage"},"thumbnailUrl":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure0.png","articleSection":["Cybersecurity Tips, Services, and Key Resources for Cybercrime Victims"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/","url":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/","name":"Can You Recover Data After A Ransomware Attack?","isPartOf":{"@id":"https:\/\/www.digitalforensics.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#primaryimage"},"image":{"@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#primaryimage"},"thumbnailUrl":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure0.png","datePublished":"2018-06-26T02:50:38+00:00","dateModified":"2025-04-09T21:07:09+00:00","description":"Learn how to recover data after ransomware encrypts your files. Discover expert tips on file decryption, backup strategies, and professional recovery services to regain access to your critical data.","breadcrumb":{"@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#primaryimage","url":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure0.png","contentUrl":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2018\/06\/Figure0.png","width":800,"height":480},{"@type":"BreadcrumbList","@id":"https:\/\/www.digitalforensics.com\/blog\/software\/data-recovery-after-ransomware-that-encrypts-files\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.digitalforensics.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Tips, Services, and Key Resources for Cybercrime Victims","item":"https:\/\/www.digitalforensics.com\/blog\/software\/"},{"@type":"ListItem","position":3,"name":"Data recovery after ransomware that encrypts files"}]},{"@type":"WebSite","@id":"https:\/\/www.digitalforensics.com\/blog\/#website","url":"https:\/\/www.digitalforensics.com\/blog\/","name":"Resources for Sextortion and Online Blackmail Victims","description":"","publisher":{"@id":"https:\/\/www.digitalforensics.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.digitalforensics.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.digitalforensics.com\/blog\/#organization","name":"Digital Defense Hub: Resources for Sextortion and Online Blackmail Victims","url":"https:\/\/www.digitalforensics.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.digitalforensics.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2024\/12\/df-logo.png","contentUrl":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2024\/12\/df-logo.png","width":393,"height":343,"caption":"Digital Defense Hub: Resources for Sextortion and Online Blackmail Victims"},"image":{"@id":"https:\/\/www.digitalforensics.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/DigitalForensicsCorp\/","https:\/\/x.com\/ForensicsCorp"]},{"@type":"Person","@id":"https:\/\/www.digitalforensics.com\/blog\/#\/schema\/person\/db7b63895c111dc8ed48df38d20b84ce","name":"Viktor Sobiecki","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2025\/07\/viktor-sobiecki_avatar-96x96.jpg","url":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2025\/07\/viktor-sobiecki_avatar-96x96.jpg","contentUrl":"https:\/\/www.digitalforensics.com\/blog\/wp-content\/uploads\/2025\/07\/viktor-sobiecki_avatar-96x96.jpg","caption":"Viktor Sobiecki"},"description":"Dr. Viktor Sobiecki currently serves as the Chief Technology Officer (CTO) at Digital Forensics Corporation, where responsibilities span the leadership of advanced cybersecurity initiatives, data breach incident responses, and corporate strategic planning. Professional career has been driven by the intersection of innovation and practical application, particularly in the domains of cybersecurity and cyber crime investigations. He holds a Ph.D. in Computer Science and has contributed extensively to academic and industry advancements through publications, patents, and technological solutions addressing complex real-world challenges. As a professional with over 25 years of experience in the fields of cybersecurity, artificial intelligence, and digital forensics his career spans roles in academic research, software development, corporate leadership, and expert consulting, giving me a comprehensive understanding of the technical, strategic, and practical dimensions of projects. Expertise spans a wide range of technical domains, including: \u2022 Data Breach Incident Response: Managing immediate responses to cybersecurity crises, including the containment and mitigation of threats \u2022 Corporate Strategy Development: Designing long-term strategies to enhance organizational resilience against emerging cyber threats. \u2022 Expert Testimony: Providing legal and technical expertise in high-profile cybersecurity cases. \u2022 Artificial Intelligence and Machine Learning: Designing and implementing algorithms for data analysis, pattern recognition, and anomaly detection. \u2022 Network Security and Data Integrity: Developing solutions to protect critical systems from cyber threats, including encryption protocols and intrusion detection systems. \u2022 Cloud Computing and Hybrid Infrastructures: Creating scalable, resilient architectures for data storage, processing, and security.","sameAs":["https:\/\/www.digitalforensics.com\/","https:\/\/www.linkedin.com\/in\/viktor-sobiecki\/"],"honorificPrefix":"Dr","jobTitle":"Chief Technology Officer (CTO)","worksFor":"Digital Forensics Corporation","url":"https:\/\/www.digitalforensics.com\/blog\/author\/visor\/"}]}},"_links":{"self":[{"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/posts\/4309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/users\/126"}],"replies":[{"embeddable":true,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/comments?post=4309"}],"version-history":[{"count":9,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/posts\/4309\/revisions"}],"predecessor-version":[{"id":12948,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/posts\/4309\/revisions\/12948"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/media\/4302"}],"wp:attachment":[{"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/media?parent=4309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/categories?post=4309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.digitalforensics.com\/blog\/wp-json\/wp\/v2\/tags?post=4309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}