Skip to main contentSkip to navigation
Rossmann Repair Group
Ransomware Incident Support

Ransomware Data Recovery

Your files are encrypted. Your backups are encrypted. We create forensically-sound images and recover whatever was not encrypted: shadow copies, deleted files, partial backups, and fragments.

Get a Free Estimate(512) 582-0870
Write-Blocked Imaging
Chain of Custody
Free Evaluation

What We Do and Do Not Do

We do: Create forensic images, recover unencrypted files, extract shadow copies, provide chain of custody documentation.

We do not: Pay ransoms, negotiate with attackers, or promise decryption of encrypted files.

No Data, No Fee2.49M+ Subscribers4.9 · 1837+ ReviewsSince 2008Repairs on Video

As Featured In

BBC
BBC News
CBC
CBC News
ABC
ABC Australia
WSJ
Wall Street Journal
BIINSIDER
Business Insider
VICE
Vice
FC
Fast Company
404
404 Media

What We Can Recover From a Ransomware Attack

Ransomware is not magic. It encrypts files, but it often misses things. Here is what we look for:

Unencrypted Files

Some ransomware variants skip certain file types, large files, or files in specific directories. We scan the entire disk for anything that was missed.

Shadow Copies

Windows creates automatic backups called Volume Shadow Copies. Ransomware tries to delete these, but the deletion often fails or is incomplete. We extract whatever remains.

Deleted File Recovery

Some ransomware encrypts a copy and deletes the original. If the original data was not overwritten, we can recover it from the raw disk sectors.

Partial Backup Files

Large backup archives may be only partially encrypted. We can sometimes extract usable data from the unencrypted portions of backup files.

Database Fragments

Databases often have transaction logs, temporary files, and older versions scattered across the disk. We search for recoverable database content.

Known Decryption Keys

Some older ransomware variants have had their keys published by security researchers or law enforcement. We check if your variant has known decryption available.

Our Forensic Imaging Process

1

Write-Blocked Connection

We connect your drive through a hardware write-blocker. This prevents any changes to the original media, preserving evidence integrity for law enforcement or legal proceedings.

2

Bit-for-Bit Image Creation

We create a complete sector-by-sector image of the drive using PC-3000 professional imaging hardware. This captures everything, including deleted files and unused space.

3

Analysis and Recovery

Working from the image (never the original), we search for unencrypted files, shadow copies, deleted data, and backup fragments. We extract everything recoverable.

4

Documentation and Delivery

We provide you with the recovered files, the forensic image (if requested), and chain of custody documentation. Your security team can then work on decryption attempts using the image.

Before You Send the Drive

Do not run any cleanup or antivirus tools

Cleanup tools may delete encrypted files, ransom notes, or evidence that could help with decryption or investigation. Leave the drive exactly as it is.

Document the ransom note

Take screenshots or photos of the ransom note before you do anything else. Include the ransomware name, file extension used, and any contact information displayed. This helps identify the variant.

Contact law enforcement

The FBI IC3 (ic3.gov) tracks ransomware attacks and may have information about your specific variant. Law enforcement has obtained decryption keys through investigations that they make available to victims.

Tell us what we are working with

When you contact us, include: the ransomware name (if known), the encrypted file extension, what data you need most urgently, and whether you have any working backups at all.

Pricing

Ransomware recovery uses our standard data recovery pricing for imaging and file extraction.

Forensic Imaging + Recovery

$300 - $1,500

Write-blocked imaging, shadow copy extraction, deleted file recovery, and unencrypted file recovery.

Chain of Custody Documentation

Included

Documentation of handling, imaging process, and custody transfer for legal or law enforcement purposes.

RAID / Multi-Drive

Contact Us

Server arrays and multi-drive systems are priced per drive plus array reconstruction. Call to discuss your situation.

Evaluation

Free

We assess what can be recovered and provide a firm quote before any paid work begins.

Frequently Asked Questions

Can you decrypt my ransomware-encrypted files?
We do not pay ransoms or negotiate with attackers. What we do is create forensically-sound images of your drives so your security team or law enforcement can work on decryption safely without risking further damage to the original media. In some cases, older ransomware variants have known decryption keys; we can check if yours is one of them.
What exactly do you do for ransomware cases?
We create bit-for-bit images of affected drives using write-blocked imaging to preserve evidence. We recover any unencrypted files, deleted files that were not overwritten, shadow copies, and backup fragments. We provide these images and recovered files to you or your incident response team.
Our backups were encrypted too. Can you help?
Possibly. Ransomware often does not fully encrypt large backup files or may miss files in unexpected locations. We examine the raw disk for partial files, older versions in shadow copies, and backup fragments that the ransomware did not reach. Send in the drives for evaluation.
Will your process preserve evidence for law enforcement?
Yes. We use write-blocked imaging that does not modify the original drive. We can provide chain of custody documentation if you are working with law enforcement or need documentation for legal purposes.
How much does ransomware recovery cost?
Standard imaging and file recovery pricing applies: $300-$1,500 depending on drive size and condition. If you need formal chain of custody documentation or expedited service, there may be additional fees. Evaluation is free.
Should I pay the ransom?
We cannot advise you on this; it is a business decision with legal, ethical, and practical considerations. What we can tell you is that paying does not guarantee you will get your data back, and it funds criminal operations. Contact law enforcement and your cybersecurity team before making any decisions.

Related Services

Forensic Data Recovery

Chain of custody documentation and forensic imaging for legal and law enforcement cases.

Data Security

Our security practices and NDA services for sensitive data.

RAID Data Recovery

Multi-drive server recovery for ransomware-affected arrays.

Ransomware attack? We can help.

Forensic imaging and recovery of unencrypted data. Free evaluation. Chain of custody documentation available.

Get a Free EstimateCall (512) 582-0870