Call us — 0191 406 1051
Mon–Fri · 9am–5:30pm · No fix, no fee
Start a free diagnostic →
/ home / services / ransomware
Specialist recovery · ransomware

Hit by ransomware? We help you recover.

Ransomware locks up your files and demands a payment — but paying is rarely the only way out, and often the worst. We pin down the strain, recover whatever can be recovered — decryptable variants, shadow copies, backups, unencrypted data — and preserve the lot for your insurer and investigators. It all begins with a free assessment of exactly what can be brought back, before you so much as consider paying.

From £300 + VAT
Strain identified first
Discreet & confidential
~ ransomware_2026-001 — live RECOVERED
$ bdr triage /dev/sdb
 Device: Dell PowerEdge (RAID 5)
 Status: RANSOMWARE — files encrypted (.locked)
 Strain: identified · known variant

$ bdr engineer-working
 Read-only image: taken · source preserved
 Shadow copies: located + extracted
 Decryptor: applied · known flaw

$ bdr verify
 ✓ databases — restored
 ✓ documents — 142,800 files
 ✓ data recovered — attacker unpaid
!

Don’t pay yet — and don’t wipe the machine.

The moment you spot ransomware, isolate the affected machines — pull them off the network and away from any backups so it can’t spread. Don’t reformat, rebuild or delete anything, and don’t rush to pay: payment never guarantees a working decryptor, and it funds more crime. Hang on to the ransom note and a few encrypted sample files, and talk to us — we identify the strain first, and some can be decrypted for free.

// how ransomware hits

What ransomware does to your data.

Modern ransomware does far more than scramble a few files — it spreads across drives, hunts down your backups, and targets the systems that keep your business running. These are the cases we see most.

// strains we recover from

Every major ransomware strain.

We pin down the exact family and variant from the ransom note and a few encrypted samples before touching anything else. For some strains a free or known decryptor exists; for the current big families the encryption simply can’t be broken — so we recover from shadow copies, backups and unencrypted data instead.

We have a solution for these strains — variant-dependent
STOP/DjvuPhobos8BaseDharmaCrySISGandCrabTeslaCryptBabukLockFileMalloxDoNexAvaddon
We have partial solutions for these strains — recovered another way
LockBitQilinAkiraPlayBlack BastaCl0pRansomHubMedusaBianLianRhysidaRoyal / BlackSuitConti

Strain identification always comes first — we check the No More Ransom project, run by Europol and police forces to publish free decryptors, alongside our own tools. Whatever the family, we tell you honestly what is recoverable before any work begins.

// systems we take on

Every system. Every platform.

We recover ransomware-hit data across every major operating system, server and NAS platform — Windows, macOS and Linux, and the virtual environments they run on. If ransomware reached it, the odds are we can help.

Windows 11Windows 10Windows 8.1Windows 7Windows Server 2025Windows Server 2022Windows Server 2019macOS TahoemacOS SequoiamacOS SonomamacOS VenturamacOS MontereyUbuntu / LinuxVMware ESXiHyper-VProxmoxSynology DSMQNAP QTSTrueNASRAID & NAS

Desktops, laptops and workstations · physical and virtual servers · NAS and SAN systems · current and older Windows, macOS and Linux versions.

// how the recovery runs

How recovery works after ransomware.

Our approach to ransomware rests on a single idea: get your data back without funding the attacker. This is specialist work, and it starts the same way every time — identify the strain, and never pay blind. We preserve everything as evidence, work only on read-only copies, and recover through every route available: decryptors, shadow copies, backups and unencrypted data.

01

Assessment & strain ID

Tell us what happened. We work out the ransomware family from the note and a few encrypted samples, and check whether a working decryptor already exists.

02

Isolate & image read-only

We take forensic, read-only images of the affected drives and work only on those copies, keeping the originals intact as evidence.

03

Map the recovery routes

We weigh up every route: a known decryptor, Windows shadow copies, offline or cloud backups, unencrypted remnants, and file carving.

04

Recover around it

A handful of old or broken strains have a published decryptor, and where one exists we use it. For anything modern — LockBit, Akira, BlackCat — nobody can decrypt the files, and that includes us. The encryption is AES-256 with an RSA-wrapped key, and it isn’t going to be broken. What we do instead is recover around the encryption: deleted originals the malware missed, shadow copies, partially-encrypted files, and anything still readable on the disk.

05

Recover your data

We extract and rebuild your files, databases and virtual machines, starting with whatever your business needs back online soonest.

06

Verify & report

We send you a list of everything recovered; you check it over, and the data is copied to a fresh external drive.

07

Secure return

Your recovered data comes back on fresh media, or by secure transfer for smaller volumes, ready to restore your systems.

// what we recover from

Encrypted. Recovered.

We bring back ransomware-hit data from servers, NAS, RAID arrays, virtual machines and workstations — identifying the strain, preserving the evidence, and recovering through every route that’s open.

All systems
servers, NAS, RAID, PCs
Read-only
source preserved
Strain ID
decryptor checked
Written quote
before any work
Evidence
kept for insurers
25 yrs
Recovering data
// get a custom quote

Request a written quote

Tell us what happened and we’ll get back to you, usually within a working day.

Prefer to call? 0191 406 1051 · Mon–Fri 9am–5:30pm

// pricing

Plain, fixed pricing.

No hidden charges and no hard sell — just a quote in writing before any work begins.

Ransomware recovery
From £300 + VAT
A fixed fee per drive, from £300 + VAT for a one-disk system. Larger and multi-disk systems are quoted per case.
  • Strain identified and quoted first
  • Written quote before any work begins
  • Evidence preserved for your insurer
// jobs off the bench

Ransomware attacks, brought back.

A handful of recent ransomware recoveries across servers, NAS and workstations. Identifying details removed, specifics kept deliberately vague.

// CASE 2026-040recovered
Dell PowerEdgeRAID 5 serverEncrypted

Server encrypted overnight, with mapped backups hit too.

The strain had a known weakness. We imaged every disk read-only, ran a decryptor, and restored the databases and file shares in full.

// CASE 2026-033recovered
Synology NASRAID 6 NASShadow copies

NAS reached over a mapped drive — snapshots saved it.

The ransomware couldn’t reach the NAS’s own snapshots. We recovered the protected versions along with the unencrypted remainder, in full.

// CASE 2026-026recovered
Windows PCWorkstationStrong encryption

Workstation hit by a strain with no decryptor.

Direct decryption was off the table, so we recovered from shadow copies and an old offline backup, plus unencrypted file fragments.

// getting it to us

Two easy steps.

Send the device in for its free diagnostic and tell us briefly what happened; an engineer reviews it and confirms your exact quote in writing before anything starts.

1

Send us your device

Getting your data back begins with getting the device to us. Pack it up safely, pop your contact details inside, and send it over — once we’ve run the free diagnostic, we’ll confirm your exact price in writing before any work starts.

How to pack it
  • Box the device up in a small, sturdy carton or a padded envelope.
  • You can leave out caddies, cables and power supplies — none of them are needed for the recovery.
  • Pop your details inside — name, address, phone and email, on a slip of paper or via our shipping form — and seal it up.
Post toNewcastle Data Recovery
Rotterdam House, 116 Quayside
Newcastle NE1 3DY
Shipping formPDF · print & include with your devicePDF ↓

Posting it? A tracked, insured service is what we’d recommend. Rather drop it in? You’re welcome Monday to Friday, 9am to 5:30pm — just package the device up as above first.

2

Need more information?

Want a bit more detail first? Fill in the form with more about your issue and an engineer will review it and send you a custom quote.

An engineer reviews every enquiry personally — we usually reply within 30 minutes during the day. Prefer to call? 0191 406 1051.

Thanks — your message is in.

We’ll be in touch shortly. If it’s urgent, call 0191 406 1051.

// questions

Ransomware recovery, answered.

The things people most often ask us after a ransomware attack.

Often, yes — though it depends on the strain. Some ransomware can be decrypted, and where it can’t, we usually recover the data another way: from Windows shadow copies, offline or cloud backups, and unencrypted remnants left on the drive. An assessment tells you what’s realistic.

We’d always say get an assessment first. Paying never guarantees a working decryptor, marks you as willing to pay again, and funds further attacks. In many cases we recover the data with no payment to the attacker at all.

Sometimes directly — a number of strains have known flaws or published keys that let us decrypt for free. Where the encryption is strong and unbroken, direct decryption isn’t possible, so we focus on recovering your data from backups, shadow copies and unencrypted fragments instead.

Frequently, yes. Ransomware often misses offline or off-site backups, NAS snapshots it can’t reach, and Windows shadow copies. Even where backups were hit, we can often recover earlier versions and unencrypted data. Stop using the systems and call us before anything’s overwritten.

We start by identifying the family from the ransom note and a few encrypted samples, then check whether a decryptor exists — including the free tools published through the No More Ransom project. Whatever the strain, we look at every recovery route, not just decryption.

Yes — encrypted servers, virtual machines, NAS units and RAID arrays are a speciality. We image every disk, rebuild the array where needed, and recover databases, mailboxes and file shares.

Completely. Ransomware cases are handled discreetly, and we’re happy to work under a non-disclosure agreement. Your data — and the fact you were attacked — stays between us.

We normally charge a fixed fee per drive, starting at £300 + VAT for a one-disk system. Ransomware recovery is then quoted per case, since the cost depends on the strain, the volume of data and the systems involved. You get a written quote before any work begins, with no surprises.

Drop drives off at our Newcastle location Monday to Friday, 9am to 5:30pm, or post them to us fully insured. For servers and NAS, remove the drives and send them labelled with their order or bay number. Include your contact details so we can book it in, and we’ll assess it before any work begins.

Protection is unglamorous: offline or versioned backups the malware can’t reach, patched systems, and a healthy scepticism about attachments. If it’s already struck — disconnect the machine from the network, don’t wipe and reinstall over the only copies, and don’t rush to pay. Bring the drives in: between shadow copies, backup archaeology and unencrypted remnants, there’s often more recoverable than the ransom note claims, and the free diagnostic tells you honestly what’s there before any decision.

Yes — this is common, and our engineers work alongside your insurer and any incident-response or breach team they appoint, rather than around them. Because we take read-only forensic images and work only on copies, nothing we do contaminates the evidence your insurer or investigators need — and we can document the strain, the affected systems and exactly what was recovered, for your claim. If you have cyber insurance, tell us early: some policies require an approved provider or specific steps, and we’ll fit around them.

// hit by ransomware?

Don’t pay yet — let us assess what’s recoverable.

The strain identified first, a written quote, and ransomware recovery from servers, NAS and workstations — with evidence preserved for your insurer. Talk to us today.