Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.
Chapter 12 — Further Reading
Foundations (🔬 / deeper)
- No More Ransom (nomoreransom.org). The authoritative clearinghouse for free decryptors — a joint project of Europol, the Dutch National Police, Kaspersky, and McAfee launched in 2016. Its Crypto Sheriff identifies a strain from a sample file and ransom note and points you to a legitimate tool if one exists. Bookmark it now; you do not want to be searching for it in a crisis.
- ID Ransomware (id-ransomware.malwarehunterteam.com), MalwareHunterTeam. Upload a ransom note and an encrypted sample to identify the family and version precisely — the step that must come before any recovery attempt, because family ID tells you whether you face a decryptable strain, a patched one, or a wiper.
- CISA #StopRansomware Guide (StopRansomware.gov). The joint CISA/FBI/NSA/MS-ISAC playbook for prevention and response — the institutional version of this chapter's first-hour list and prevention section, updated as the threat evolves.
- NIST IR 8374, Ransomware Risk Management (and SP 800-61, Incident Handling). Maps ransomware controls to the Cybersecurity Framework; the rigorous backbone behind "3-2-1-1-0" and "preserve before you restore."
Approachable explanations (everyone)
- The DFIR Report (thedfirreport.com). Real, anonymized walk-throughs of human-operated ransomware intrusions — initial access, dwell, lateral movement,
vssadmindeletion, detonation — with timelines. The single best way to internalize "every action leaves a trace." - Emsisoft blog and decryptor list (emsisoft.com). The clearest plain-language explanation anywhere of STOP/Djvu's offline vs. online IDs and why one is recoverable and the other is not; also the largest free decryptor collection.
- Bleeping Computer — ransomware section (bleepingcomputer.com). Accessible, current reporting on new families, leaked keys, and law-enforcement takedowns; where news of a fresh decryptor usually breaks first.
In practice (💾 Recovery · 🔍 Examiner · 🛡️ IR · 📜 Legal)
- libvshadow —
vshadowinfo/vshadowmount(Joachim Metz). Enumerate and mount Volume Shadow Copy stores from a raw image even when Windows reports none — Option 3's last-ditch play. 💾 🔍 photorec/foremost(cgsecurity.org). The workhorse carvers for Option 4; pair with the signatures in Appendix A. 💾 🔍- Volatility (
vol.py). Memory forensics — recover the malware process, C2 connections, and, for flawed families, keys from a RAM image. 🔍 🛡️ - KAPE / Arsenal Image Mounter / ShadowExplorer. Triage collection and mounting historical snapshots from a live system or an E01. 🛡️ 🔍
- Vendor decryptor suites — Kaspersky (RakhniDecryptor, RannohDecryptor), Avast/AVG, Bitdefender, Trend Micro. Obtain only via No More Ransom or the vendor; never a forum or search ad. 💾
- OFAC, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept 21, 2021). Required reading before anyone contemplates paying. 📜
Reference (this book)
- Appendix A — File Signatures Reference: the magic numbers carving depends on.
- Appendix B — Python Forensics Toolkit: the maintained
ransomware_triage.pyentropy/signature scanner. - Appendix E — Legal Frameworks Reference: OFAC, state breach-notification laws, HIPAA/GLBA, GDPR's 72-hour clock.
- Appendix F — Chain of Custody and Report Templates: the forms the "image first" discipline requires.
- Chapter 9 — SSD and Flash Recovery: why TRIM erases your carving opening on flash.
- Chapter 22 — Memory Forensics and Chapter 33 — Cryptocurrency Investigation: keys in RAM, and following the money.
Do, don't just read
- Build and run the triage scanner. On a folder of your own files, run the chapter's entropy/signature scan; confirm ZIPs and JPEGs score near 8.0 and that the magic-number check keeps them off the "encrypted" list. Then random-overwrite the first 150 KB of a large file and watch the sliding-window profile shout "partial encryption, tail recoverable."
- Walk the family-ID workflow. With a safe, public sample, practice the ID Ransomware → No More Ransom path until it is muscle memory — and find the offline/online-ID distinction in Emsisoft's STOP/Djvu notes.
- Test a restore. Build a 3-2-1-1-0 backup for your own data — one copy offline or immutable — and actually restore from it. The "0" in 3-2-1-1-0 is the one most people skip; do not be one of them.
Next: Chapter 13 — The Data Recovery Business: from the bench to the business — pricing, "no recovery, no fee," the cleanroom economics, and the ethics of charging money to handle other people's worst days, as the wedding-photos client returns.