Ransomware locks up your files and demands a payment — but paying is rarely the only way out, and often the worst. We pin down the strain, recover whatever can be recovered — decryptable variants, shadow copies, backups, unencrypted data — and preserve the lot for your insurer and investigators. It all begins with a free assessment of exactly what can be brought back, before you so much as consider paying.
$ bdr triage /dev/sdb → Device: Dell PowerEdge (RAID 5) → Status: RANSOMWARE — files encrypted (.locked) → Strain: identified · known variant $ bdr engineer-working → Read-only image: taken · source preserved → Shadow copies: located + extracted → Decryptor: applied · known flaw $ bdr verify → ✓ databases — restored → ✓ documents — 142,800 files → ✓ data recovered — attacker unpaid
The moment you spot ransomware, isolate the affected machines — pull them off the network and away from any backups so it can’t spread. Don’t reformat, rebuild or delete anything, and don’t rush to pay: payment never guarantees a working decryptor, and it funds more crime. Hang on to the ransom note and a few encrypted sample files, and talk to us — we identify the strain first, and some can be decrypted for free.
Modern ransomware does far more than scramble a few files — it spreads across drives, hunts down your backups, and targets the systems that keep your business running. These are the cases we see most.
We pin down the exact family and variant from the ransom note and a few encrypted samples before touching anything else. For some strains a free or known decryptor exists; for the current big families the encryption simply can’t be broken — so we recover from shadow copies, backups and unencrypted data instead.
Strain identification always comes first — we check the No More Ransom project, run by Europol and police forces to publish free decryptors, alongside our own tools. Whatever the family, we tell you honestly what is recoverable before any work begins.
We recover ransomware-hit data across every major operating system, server and NAS platform — Windows, macOS and Linux, and the virtual environments they run on. If ransomware reached it, the odds are we can help.
Desktops, laptops and workstations · physical and virtual servers · NAS and SAN systems · current and older Windows, macOS and Linux versions.
Our approach to ransomware rests on a single idea: get your data back without funding the attacker. This is specialist work, and it starts the same way every time — identify the strain, and never pay blind. We preserve everything as evidence, work only on read-only copies, and recover through every route available: decryptors, shadow copies, backups and unencrypted data.
Tell us what happened. We work out the ransomware family from the note and a few encrypted samples, and check whether a working decryptor already exists.
We take forensic, read-only images of the affected drives and work only on those copies, keeping the originals intact as evidence.
We weigh up every route: a known decryptor, Windows shadow copies, offline or cloud backups, unencrypted remnants, and file carving.
A handful of old or broken strains have a published decryptor, and where one exists we use it. For anything modern — LockBit, Akira, BlackCat — nobody can decrypt the files, and that includes us. The encryption is AES-256 with an RSA-wrapped key, and it isn’t going to be broken. What we do instead is recover around the encryption: deleted originals the malware missed, shadow copies, partially-encrypted files, and anything still readable on the disk.
We extract and rebuild your files, databases and virtual machines, starting with whatever your business needs back online soonest.
We send you a list of everything recovered; you check it over, and the data is copied to a fresh external drive.
Your recovered data comes back on fresh media, or by secure transfer for smaller volumes, ready to restore your systems.
We bring back ransomware-hit data from servers, NAS, RAID arrays, virtual machines and workstations — identifying the strain, preserving the evidence, and recovering through every route that’s open.
Tell us what happened and we’ll get back to you, usually within a working day.
We’ll be in touch shortly. If it’s urgent, call 0191 406 1051.
No hidden charges and no hard sell — just a quote in writing before any work begins.
A handful of recent ransomware recoveries across servers, NAS and workstations. Identifying details removed, specifics kept deliberately vague.
The strain had a known weakness. We imaged every disk read-only, ran a decryptor, and restored the databases and file shares in full.
The ransomware couldn’t reach the NAS’s own snapshots. We recovered the protected versions along with the unencrypted remainder, in full.
Direct decryption was off the table, so we recovered from shadow copies and an old offline backup, plus unencrypted file fragments.
Send the device in for its free diagnostic and tell us briefly what happened; an engineer reviews it and confirms your exact quote in writing before anything starts.
Getting your data back begins with getting the device to us. Pack it up safely, pop your contact details inside, and send it over — once we’ve run the free diagnostic, we’ll confirm your exact price in writing before any work starts.
Posting it? A tracked, insured service is what we’d recommend. Rather drop it in? You’re welcome Monday to Friday, 9am to 5:30pm — just package the device up as above first.
Want a bit more detail first? Fill in the form with more about your issue and an engineer will review it and send you a custom quote.
We’ll be in touch shortly. If it’s urgent, call 0191 406 1051.
The things people most often ask us after a ransomware attack.
Often, yes — though it depends on the strain. Some ransomware can be decrypted, and where it can’t, we usually recover the data another way: from Windows shadow copies, offline or cloud backups, and unencrypted remnants left on the drive. An assessment tells you what’s realistic.
We’d always say get an assessment first. Paying never guarantees a working decryptor, marks you as willing to pay again, and funds further attacks. In many cases we recover the data with no payment to the attacker at all.
Sometimes directly — a number of strains have known flaws or published keys that let us decrypt for free. Where the encryption is strong and unbroken, direct decryption isn’t possible, so we focus on recovering your data from backups, shadow copies and unencrypted fragments instead.
Frequently, yes. Ransomware often misses offline or off-site backups, NAS snapshots it can’t reach, and Windows shadow copies. Even where backups were hit, we can often recover earlier versions and unencrypted data. Stop using the systems and call us before anything’s overwritten.
We start by identifying the family from the ransom note and a few encrypted samples, then check whether a decryptor exists — including the free tools published through the No More Ransom project. Whatever the strain, we look at every recovery route, not just decryption.
Yes — encrypted servers, virtual machines, NAS units and RAID arrays are a speciality. We image every disk, rebuild the array where needed, and recover databases, mailboxes and file shares.
Completely. Ransomware cases are handled discreetly, and we’re happy to work under a non-disclosure agreement. Your data — and the fact you were attacked — stays between us.
We normally charge a fixed fee per drive, starting at £300 + VAT for a one-disk system. Ransomware recovery is then quoted per case, since the cost depends on the strain, the volume of data and the systems involved. You get a written quote before any work begins, with no surprises.
Drop drives off at our Newcastle location Monday to Friday, 9am to 5:30pm, or post them to us fully insured. For servers and NAS, remove the drives and send them labelled with their order or bay number. Include your contact details so we can book it in, and we’ll assess it before any work begins.
Protection is unglamorous: offline or versioned backups the malware can’t reach, patched systems, and a healthy scepticism about attachments. If it’s already struck — disconnect the machine from the network, don’t wipe and reinstall over the only copies, and don’t rush to pay. Bring the drives in: between shadow copies, backup archaeology and unencrypted remnants, there’s often more recoverable than the ransom note claims, and the free diagnostic tells you honestly what’s there before any decision.
Yes — this is common, and our engineers work alongside your insurer and any incident-response or breach team they appoint, rather than around them. Because we take read-only forensic images and work only on copies, nothing we do contaminates the evidence your insurer or investigators need — and we can document the strain, the affected systems and exactly what was recovered, for your claim. If you have cyber insurance, tell us early: some policies require an approved provider or specific steps, and we’ll fit around them.
The strain identified first, a written quote, and ransomware recovery from servers, NAS and workstations — with evidence preserved for your insurer. Talk to us today.