Call us — 0191 406 1051
Mon–Fri · 9am–5:30pm · No fix, no fee
Start a free diagnostic →
// case file · PC · HP Omen · LockBit ransomware

LockBit, an HP Omen, and no backup.

Every file encrypted, the boot record rewritten, the shadow copies deleted, and a ransom note. This is the case file where we explain what we actually did — because what most firms claim to do in this situation is not possible.

← All case files · £300 + VAT, flat

Device

HP Omen laptop

Failure

LockBit ransomware

Data

Work documents, personal media, project files

Outcome

Recovered around the encryption, not through it

// the brief

What arrived, and what was at stake.

An HP Omen laptop, infected with LockBit. Every user file encrypted or inaccessible, a ransom note demanding payment, and Windows refusing to boot. Antivirus had achieved nothing, which is expected — antivirus stops an infection, it does not undo one. There was no backup.

// on the bench

What the diagnosis found.

01

The strain was LockBit

, identified from the ransom note and the file markers. This matters more than anything else on the page, because the strain determines whether a published decryptor exists. For LockBit, it does not.

02

The Master Boot Record had been altered

, which is why the machine would not boot at all.

03

The Volume Shadow Copies had been deleted.

Ransomware always tries. It does not always succeed completely.

We did not break the encryption. Nobody can.

LockBit encrypts with AES-256 and wraps the key with RSA. Without the private key, those files are not recoverable — not by us, not by any laboratory, not with any amount of computing power. If a recovery firm tells you they can decrypt modern ransomware, they are either using a publicly released decryptor for a broken strain, or they are lying to you.

What we did instead was go around it.

// the recovery

How it was done.

// outcome

What came back.

Files came back, and not one of them was decrypted. They came from deleted originals, shadow copy remnants, unencrypted caches and the intact bodies of partially-encrypted large files. No ransom was paid.

How much that adds up to varies enormously, and anyone quoting you a figure before they have imaged the drive is guessing. It depends on the strain, on whether it overwrote in place or wrote-and-deleted, and above all on how quickly the machine was powered down — because the deleted originals are the single largest source of recovery, and they survive only until Windows writes over them.

What it never includes is a file that was correctly encrypted and whose original was genuinely overwritten. That file is gone, and no laboratory on earth will get it back.

// the transferable bit

What to take from this.

If ransomware hits, what you do next decides how much comes back.

01

Isolate the machine.

Pull the network cable. It spreads across shares.

02

Do not reboot.

Some strains encrypt in stages, and a reboot can complete a job that was half done.

03

Do not delete the ransom note.

It identifies the strain, and the strain decides whether a free decryptor exists.

04

Above all: stop using the machine.

The deleted originals are the single largest source of recovery, and they survive only until something overwrites them. Every minute the computer runs, Windows is writing something.

And afterwards: the backup that failed here failed because there wasn't one. The backup that usually fails is the one that was mapped — ransomware encrypts anything it can write to. A permanently connected backup drive is not a backup. It is a second copy of the problem.

// read next

Related.

// your turn

Lost something that matters? Free diagnosis, a fixed price, and no fix, no fee.

Drop the drive at our Quayside reception, or post it to us — it costs nothing to find out what happened. You get a written figure from the fixed bands before any work begins.