Call us — 0141 404 0294
Mon–Fri · 9am–5:30pm · No fix, no fee
Start a free diagnostic →
Service · ransomware

Ransomware recovery: the playbook, reversed.

Every ransomware strain runs roughly the same script: find the files, encrypt copies, delete your originals, purge the shadow copies, drop the note. The useful secret of ransomware data recovery is that each of those steps is sloppier than it looks — and each kind of sloppiness is a door back in. Our job is walking the attack backwards, step by step, without a penny crossing to the attacker.

25 years’ experience
In-house, never outsourced
No recovery, no fee · most jobs
// step zero

Contain it, keep the evidence.

Before any recovery: unplug infected machines from the network — ransomware hunts mapped drives and NAS shares hungrily — and resist every cleanup instinct. The note, the renamed files and the malware itself identify the strain, and the strain decides the whole plan. Wiping, reinstalling or letting an antivirus “remove the threat” destroys the map while the territory is still lost.

Report it too — Police Scotland on 101 and the NCSC both want to know — then get the affected drives to the bench powered off, with a photo of the ransom note if the screen still shows it.

// reversing it

Each attack step leaks a way back.

They encrypted copies and deleted your originals — so on hard drives especially, this is partly a deleted-file recovery against the clock, and the originals frequently survive beneath the surface. They purged shadow copies — but the purge is often partial, missed on some volumes, or blocked on NAS snapshots entirely; Synology and QNAP snapshots regularly outlive a full-share encryption. They encrypted in a hurry — many strains touch only the first megabytes of large files, leaving video, databases and archives partially rebuildable.

And they identified themselves — the note and file extensions name the strain, and where researchers have already broken that strain, a working free decryptor exists through efforts like No More Ransom. Checking is always step one, because it turns a recovery job into a decryption job at no risk.

// the discipline

Images first, promises never.

All of it happens on forensic images, never on your disks — some strains booby-trap their own wreckage, and a wrong move on the original converts recoverable into gone. For businesses hit across a server or RAID, every member is imaged individually and the array rebuilt virtually before the encrypted volume is even assessed.

Two lines we hold absolutely. We never pay or negotiate — payment funds the next campaign, marks you as a payer, and delivers working keys far less often than the note promises. And we never claim to decrypt what cannot be decrypted: properly implemented modern encryption does not fall to effort, and any outfit guaranteeing otherwise is either bluffing or quietly paying criminals with your money.

// after

What going home looks like.

The recovered set is assembled from every door that opened — decryptor output, undeleted originals, snapshots, partial files, backups you thought were dead — verified, deduplicated and delivered on encrypted media, with a plain-English account of what came from where and what stayed lost. If insurers or investigators need the detail, the imaging and chain of custody stand up to them.

// the number

The number, before any work.

Single drives are £300 + VAT; servers, RAID arrays and NAS units start at £500 + VAT and are quoted to the job, since every member disk is imaged individually first. Everything starts with a free diagnostic, the figure goes in writing before work begins, and on most jobs nothing is owed unless the data comes back. No hourly meter, no evaluation fee, no percentage of what the files are worth.

// questions

Questions we hear every week.

Our advice is a firm no. Payment is unreliable — broken decryptors, partial keys and repeat extortion are all routine — it funds the next attack, and depending on the group behind the strain it can create legal exposure. Let the free assessment show what recovery achieves first; most victims need far less of the attacker than the note claims.

If researchers have broken the strain, yes — via a genuine decryptor, and we check that first. If they haven’t, nobody honest can: sound modern encryption cannot be brute-forced. Recovery then comes from everything the attack missed — deleted originals, surviving snapshots, partial files, backups — which in practice recovers far more than people fear.

Often the opposite. NAS snapshots — btrfs on Synology, similar on QNAP — live outside the shares the malware could reach, and frequently survive intact even when every visible folder is scrambled. Power the box down, stop all “repairs”, and send the disks; checking those snapshots is one of the first things we do.

The assessment is free and the figure is fixed in writing before paid work. A single encrypted drive follows the £300 + VAT band; servers, arrays and NAS units are quoted to the job from £500 + VAT because every disk is imaged first. No payment ever goes to attackers, and no fee applies on most jobs if nothing comes back.

UK-wide — drop drives at Tay House on Bath Street or send them by insured, tracked post from anywhere in the country, powered off. Everything is worked in-house by our own engineers and your data never leaves the UK, which tends to matter to the same people ransomware matters to.

Yes — ransomware recovery services run UK-wide from Glasgow, by insured post or drop-off. Servers, NAS units and single machines are all handled in-house, and nothing is outsourced or sent abroad.

Sometimes, and it is always worth checking before anyone considers paying. Recovery works from what the malware left behind rather than from its keys: shadow copies, unencrypted originals in unallocated space, partially processed files, and snapshots the attacker missed.

// getting it here

Getting it to Glasgow.

Two honest routes, no vans. Hand the device in at Tay House, 300 Bath Street — right at Charing Cross, two minutes off the M8 — Monday to Friday, 9am–5:30pm. Or wrap it well and send it by insured, tracked post from anywhere in the UK. The work is done in-house by our own engineers, with a documented chain of custody, and your data never leaves the UK.

// ready

Note on the screen? Stop, unplug, call.

The attack followed a script, and so does the recovery — contain, identify, image, reverse. Ransomware data recovery for Glasgow and the whole UK, with no ransom paid and no false promises made.

0141 404 0294