Ransomware Data Recovery & Forensic Investigation


Gillware Digital Forensics offers ransomware data recovery and investigation services for anybody suffering from file-encrypting viruses. Our goal is to restore as much of your encrypted data as possible without having to pay the people holding your data for ransom. If traditional recovery is not possible you can choose to let us assist with the payment and decryption of the data if you do not feel comfortable doing so. We will provide comprehensive documentation of the event for your insurance adjuster. We also investigate how your system became infected and provide you with advice on how to prevent future intrusions, among other services.


What Is Ransomware?

Ransomware is a particularly insidious form of malware. As the name suggests, ransomware takes your data and holds it for ransom by encrypting it. These viruses are programmed to seek out files with specific extensions. Common file types, such as JPEGs, Word and Excel documents, Photoshop project files, and database files are among the many affected. Affected files will usually have some sort of new extension appended to them, such as “.CRYPTED”, “.VAULT”, or “.LOCKED”.

The majority of ransomware viruses use complex AES encryption to lock away your files. This encryption is impossible to brute-force; the only way to break the encryption is to pay the hackers for their decryption key and hope they honor their end of the bargain. Some ransomware viruses, however, cheat. They use simpler forms of encryption. Or they have other weaknesses we can leverage to get around the encryption. For example, the now-defunct cryptovirus TeslaCrypt claimed to be using a much stronger form of encryption than it actually used, which gave Talos openings to develop decryptor software for TeslaCrypt victims.

Ransomware can spread just like any other kind of virus or malware. Browsing shady websites or opening suspicious email attachments can give a ransomware virus the opening it needs to infect your system. For years, hackers have compromised their victims by sending emails posing as a relative, a co-worker or sysadmin, a business partner, or legal official and asking them to download and open an email attachment.


Why Is Ransomware So Prevalent Today?

There are five factors that have contributed to the proliferation of ransomware. Computer hacking, of course, has been around as long as there have been computers. But it wasn’t until these five factors all came together, all within the past few years, that ransomware really took off.

1. The Growth of the Internet

Ransomware exists because the Internet has become huge. Just about everybody, save for maybe your 90-year-old grandma or your kooky survivalist uncle, has an ever-increasing web footprint. This has given computer-savvy ne’er-do-wells around the world even more access points to attack individuals and businesses. For well over a decade, scammers in third-world nations have made entire careers out of defrauding people in the first world. In the early days of the Internet, the world wide web allowed these scammers to reach even more victims. Now, with the Web as huge as it is, holding a user’s files for ransom has become much more profitable than inventing a sob-story about a Nigerian prince.

2. The Rise of Bitcoins

The creators of Bitcoin and its early adopters envisioned Bitcoin as a form of wholly-digital currency. Bitcoin is not backed by gold or any other precious substance. Nor is it backed by the full faith and credit of any government. Bitcoin’s value is highly volatile, but seems to have stabilized recently. Its greatest value is that it is “cryptocurrency”: decentralized, untraceable, and impossible to counterfeit. While Bitcoin can be used and is used for legitimate transactions, the relative anonymity it provides its users makes it ideal for the world’s more unsavory transactions. Compared to, say, Western Union or wire transfers, there’s no way to trace the malefactor’s location.

3. Improvements in 256-Bit Encryption

Over the past few years, computers have gotten extremely good at encrypting data. 256-bit encryption has become so easy that just about any SSD you can buy today (or any modern model of iPhone) encrypts itself by default—and you’d never even notice. It only takes a handful of milliseconds to turn your typical Word document into encrypted garbage, and a few seconds to encrypt all of your Word documents. And while computers have made great strides in encrypting data quickly, they have made next to no progress in forcibly decrypting that data. According to an EETimes article, 128-bit AES encryption would take a supercomputer one billion billion (or one quintillion) years to break. This is orders of magnitude longer than the age of the universe.

4. The Dark Web and Onion Browsers

The deep web is the surprisingly-vast portion of the Internet not indexed by search engines. The dark web is a portion of it. Thanks to Tor’s method of providing encryption through “onion routing”, users can surf the Internet, including the hidden dark web, and send instant messages to peers under the veil of anonymity. Due to the level of anonymity in the dark web, one can find black markets for all sorts of illicit goods and services. Savvy programmers can sell their encryption programs to interested parties with complete anonymity. The growth and proliferation of the dark web has made it even easier for hackers to obtain the tools to launch massive ransomware attacks.

5. Profit Motive

Finally, ransomware has taken off because it rakes in the dough. In the US alone, the CryptoWall virus cost its victims over $18 million in a single year. According to a June 2016 article in TechInsider, individual cybercriminals can each make over $7,500 per month in ransom payments. If you’re a hacker in Russia, where the average monthly salary is around $500, being or working for a ransomware boss has its obvious advantages. It is hard to calculate the exact figures on how much money flows into ransomware hackers’ pockets. This is mainly because many people affected by these attacks are understandably embarrassed about it and would prefer to keep mum about whether or not they paid the ransom to get their files back. At any rate, online malefactors have found ransomware to a great way to make a lot of money with little investment.


Common Variants of Ransomware

This is a brief, and nowhere near extensive, list of some common ransomware viruses:

Our ransomware data recovery technicians frequently have to contend with cryptoviruses such as CryptoWall 3.0

A portion of the CryptoWall 3.0 ransom note. The note claims that “the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever”.

CryptoWall 3.0

The CryptoWall virus is one of the many copycat cryptoviruses that sprang up after the original CryptoLocker became defunct. CryptoWall 3.0 encrypts its victims’ files with an AES CBC 256-bit encryption algorithm. The newest version, CryptoWall 4.0, encrypts the names of the victims’ files as well as the contents.


This cryptovirus uses the Tor anonymity network to avoid detection. CTB-Locker will often “allow” the victim to decrypt two files (not of the victim’s choosing) for free, to encourage payment. There is also a popular variant of CTB-Locker that exclusively targets web servers.


Like several other cryptoviruses, Cerber will ignore a potential victim’s files if the computer is registered in certain countries, but infect users from any other country. This virus can also run a text-to-speech program and “speak” directly to the victim. Cerber adds the .CERBER file extension to any file it encrypts.


After the TeslaCrypt virus fell, Crysis filled the void it left behind. One variant of Crysis appends “.centurion_legion@aol.com.xtbl” to affected files. Crysis sometimes demands that the victim email mailrepa.lotos@aol.com or goldman0@india.com to receive payment instructions.


This ransomware is unique in that the hackers will communicate directly with the victim via email. They will often offer the victim a “discount” on decryption. Like many cryptoviriuses, its handlers appear to be based in Russia.


Resources for Prevention of and Response to Ransomware Attacks

Cindy Murphy, our President of Gillware Digital Forensics, offers two guides on the prevention of and response to ransomware attacks. By consulting these guides, you can reduce your chances of losing data to ransomware attacks and keep a level head in the event you become the victim of ransomware:

Ransomware Prevention Guide

Ransomware Response Guide


Our Ransomware Data Recovery Services

The first goal of our ransomware data recovery services is, of course, to recover your data. The designers of cryptoviruses make this as difficult as possible. The majority of modern cryptoviruses delete the Volume Shadow Copies modern Windows operating systems use to save backup versions of user files. In some situations the only unencrypted data that can be recovered is previous versions of files or deleted files that still exist on the hard drive in “unallocated” sectors of the disk.

If our data recovery efforts do not yield optimal results, paying the ransom may be the only way to retrieve your files. In these cases, we offer to communicate with the criminals and hand off the ransom money on your behalf. This is our last resort if every other attempt at data recovery fails. We make every effort to recover your data without paying the criminals a cent.

Data recovery is only half the battle. The other half of our ransomware data recovery services is helping you deal with your infection and prevent future attacks. We will investigate your infected devices to determine how the attacker managed to break into your system and offer advice on how to protect yourself from future intrusions. We will also work to determine whether or not the attackers left any other malware behind or stole any data before encrypting it.

Our ransomware data recovery services also involve documenting your situation for insurance adjusters and law enforcement. Many ransomware victims do not fully understand what has happened to them. As a ransomware victim, speaking with law enforcement officials or your insurance provider can be difficult. This is why our knowledgeably experts offer to act as a go-between for you, law enforcement, and your insurance provider.


When Is Paying the Ransom a Good Idea?

Experts are sharply divided on this topic, and the ethical questions it raises. Ransomware victims are often caught in a dilemma where their encrypted data is unique and hard to recreate. Often the cost of paying the ransom dwarfs the cost in both time and money of recreating the lost data or going on without it. But paying the ransom arguably encourages ransomware programmers and distributors to continue their work. In an ideal world where nobody paid their ransoms, ransomware would not be the problem it is today, as the profit motive would be nowhere near as enticing to would-be criminals.

However, we do not live in an ideal world. We, unfortunately, live in a world where data can be irreplaceable. Losing that data can cause severe damage to your business or organization. We also live in a world where optimal ransomware data recovery isn’t always possible.

When a ransomware victim has to pay the ransom, or when we pay the ransom on a client’s behalf, it can indeed play a role in continuing the cycle. But to a small business owner or small nonprofit organization that is suffering considerable losses, a pragmatic decision to pay the ransom is sometimes necessary. We strive to avoid putting money into ransomware hackers’ pockets whenever possible. But we also understand that, in the interest of pragmatism, sometimes it simply must be done.

There is, of course, no guarantee that a ransomware distributor would honor their end of the bargain after a successful transaction. However, it would make poor business sense not to. If enough ransomware hackers refused to decrypt their victims’ files after payment, after all, the number of people willing to pay would steeply decline. Ransomware distributors would see their ill-gained profits dwindle substantially.

Why Is It Better for Gillware’s Ransomware Data Recovery Experts to Pay the Ransom on the Client’s Behalf?

Many victims of cryptovirus attacks lack knowledge of the dark web, Bitcoin and other cryptocurrencies, onion routers, etc. A CPA hit by a cryptovirus may know everything about Quickbooks and TurboTax, but nothing about setting up a Bitcoin wallet. The technology involved, and its association with the darkest and most frightening parts of the Internet’s seedy underbelly, can be extremely intimidating. You might prefer to have people with understanding of and experience in using these little-known tools and payment methods handle the trade-off, if it comes to that.

When you’re the ransomware victim, it’s hard to keep a level head. This is especially true when so much is at stake, and the way the hackers need to be dealt with is so far out of your depth. You also might be understandably wary of dirtying your own hands or wading into uncharted waters to deal with the hackers on your own. That is why it can be preferable to have experts like us handle payment—if it comes to that.


Contact Us for Ransomware Data Recovery Services

If you’ve suffered a cryptovirus attack, it can be hard to know what to do or who to turn to. Keeping cool is often the last thing on your mind. But Gillware Digital Forensics is here to assist you every step of the way. We will do whatever it takes to get your data back with our ransomware data recovery services. We will help you implement changes to your security procedures and protocols to prevent future attacks. And we will even help you deal with law enforcement and insurance adjusters on your behalf. We can help you make sense of and move past this stressful and painful situation.