FAQ

The recovery time after a ransomware attack varies greatly depending on the complexity of the case:

• Ransomware already decrypted (public key available): 24 to 72 hours to apply decryption to all files
• Recovery via intact backups: from a few hours to a few days depending on the volume of data and the state of the infrastructure
• Forensic analysis and search for cryptographic flaws: from 1 to several weeks—some analyses require significant computing resources
• Cases with no known decryption solution: retention of encrypted files pending a key being published later (Hive, Ragnar Locker, etc. cases)

Our emergency response service (Critical level) is available 24/7 for companies whose business continuity is compromised.

#recovery time #decryption time #business emergency #business continuity

Modern ransomware primarily targets backups to maximize pressure on victims. Here's how to identify if your backups are compromised:

• Network backups (NAS, backup server): check the file extension — an unknown or added extension (.locked, .encrypted, etc.) indicates an infection. Also, check the metadata (recent and unusual modification date).
• Synchronized cloud backups: if the synchronization client (OneDrive, Dropbox, etc.) was active during the attack, the encrypted files have probably replaced the originals. Check the version history before restoring.
• Offline backups (disconnected external drive, LTO tape): if they were not connected to the network during the attack, they are generally intact.

The 3-2-1 rule (3 copies, 2 different media, 1 offsite) with at least one air-gapped copy is the most effective protection against ransomware.

#encrypted backups #NAS ransomware #backup #3-2-1 rule #air-gap

It depends on the type of storage and how the reinstallation was performed.

On a HDD (mechanical hard drive): if the disk was formatted without "secure erasure" (simple deletion of partitions), the encrypted files are often still physically present on the magnetic platters. A laboratory extraction can allow us to recover the encrypted files, which our experts will then attempt to decrypt.

On an SSD: the situation is more complex. The SSD firmware may trigger a TRIM operation automatically after formatting, permanently erasing the data. On some models or if TRIM has been disabled, partial recovery is still possible.

In both cases, the faster you act after the reinstallation, the higher the chances of recovery.

#reinstallation #disk format #ransomware recovery #disk image

Yes, in a significant number of cases. The possibility of decryption without paying mainly depends on the type of ransomware and the existence of an exploitable cryptographic flaw.

Several recovery paths exist:

• Public decryption keys — some ransomware has been decrypted by security researchers and agencies like Europol. The No More Ransom platform (nomoreransom.org) centralizes these tools for free.
• Flaws in cryptographic implementation — some poorly programmed ransomware have vulnerabilities that allow keys to be reconstructed.
• Shadow Copies (VSS) — if the ransomware has not deleted Windows Shadow Copies, a restoration is possible.
• Unaffected backups — offline backups, NAS snapshots, or unsynchronized cloud storage.

Our laboratory analyzes each case individually. A diagnosis allows us to determine which ransomware family is involved and what decryption options are available.

#ransomware #encryption #decryption #ransom-free recovery #No More Ransom

Authorities (ANSSI, OFCS, Europol, FBI) unanimously recommend not paying the ransom, for several reasons:

• No guarantee — between 20 and 40% of victims who paid did not receive a functional decryption key
• Risk of double extortion — attackers may exfiltrate data before encryption and threaten to publish it even after payment
• Funding of crime — payment encourages further attacks and may expose the company to legal penalties in certain jurisdictions
• Existing alternatives — in 30 to 50% of incidents, full or partial recovery is possible without payment

Before making any decision, consult a data recovery specialist and report the attack to the National Cyber Security Centre (NCSC) in Switzerland or to ANSSI in France.

#ransom #ransomware payment #ANSSI #NCSC #cybercrime

Ransomware is a type of malware that encrypts the files on a computer system, rendering them inaccessible, and then demands a ransom in exchange for the decryption key. It is one of the most widespread cyber threats: according to the ENISA 2024 report, ransomware attacks increased by 37% in Europe between 2022 and 2023.

A typical attack process unfolds in four stages:

1. Infection — via phishing, unpatched vulnerability, exposed RDP, or compromised account
2. Reconnaissance and propagation — the malware maps the network and spreads laterally (duration: from a few hours to several weeks)
3. Encryption — files are encrypted with an asymmetric algorithm (RSA 2048 or 4096 bits) for which only the attacker possesses the private key
4. Extortion — a ransom note is dropped on the system with payment instructions (usually in Bitcoin)

#ransomware definition #ransomware #RSA encryption #ENISA #cyberattack

The first few hours are crucial to limit the extent of the damage. Here's the emergency procedure:

1. Isolate infected machines — immediately disconnect from the network (Ethernet cable and Wi-Fi) to stop lateral propagation
2. Do not restart systems — some encryption keys remain in RAM and can be extracted while the system is running
3. Preserve traces — do not modify any system files; these elements are essential for forensic analysis
4. Identify the ransomware — upload an encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com) to identify the family
5. Evaluate your backups — check if your offline or cloud backups are intact
6. Contact a specialist — an incident response expert can intervene in less than 2 hours

#ransomware emergency #what to do #first steps #isolate network