Chapter 12 — Key Takeaways
The big idea
Ransomware is where "deleted ≠ destroyed" finally meets its match — not because the bytes are gone, but because they have been transformed by strong, correctly-implemented encryption you cannot break. Every other recovery technique in this book exploits the lucky fact that deletion removes only the pointer; ransomware breaks that assumption on purpose, turning your files into ciphertext that is statistically indistinguishable from noise while it controls the only key. You will never beat the math. Recovery comes from somewhere else entirely — copies the attacker missed, mistakes the attacker made, or keys someone else already holds — and the entire professional response is a disciplined hunt for those exceptions, worked in order of reliability, on top of a foundation of preserve before you destroy and an unsentimental truth: without backups, ransomware recovery is partial at best.
The cryptography dictates the strategy
- Hybrid model. Each file's body is locked with a fast symmetric key (AES-256, ChaCha20/Salsa20); that key is sealed with the attacker's RSA/elliptic-curve public key. Only the attacker's private key — which never leaves their control — can unwrap it.
- Per-file, not whole-disk. Most strains encrypt user data and leave the OS bootable so you can pay. A working desktop is not a recoverable one.
- Behavior, not cipher, decides recovery. Copy-encrypt-delete leaves originals in unallocated space (carvable on HDD, usually lost to TRIM on SSD). In-place overwrite destroys them. Partial/intermittent encryption (STOP/Djvu's first ~150 KB) can leave salvageable plaintext — especially in unstructured media.
- Identify the family first. A wiper in ransomware's clothing (NotPetya) has no recovery at any price; family ID also tells you whether a decryptor exists and whether data was stolen.
The five recovery options — in order
| # | Option | Reliability |
|---|---|---|
| 1 | Restore from a clean offline/immutable backup | The only reliable solution |
| 2 | Known free decryptor (No More Ransom / ID Ransomware) | Only for specific families/versions; offline-ID only for STOP/Djvu |
| 3 | Surviving Volume Shadow Copies | Usually deleted by the malware; occasionally rebuilt from the image |
| 4 | Carve unencrypted originals, temp files, slack | Partial, unpredictable; HDD ≫ SSD |
| 5 | Negotiate / pay | Last resort: OFAC, no guarantee, ethics |
Preserve before you restore
- Isolate, do not power off. Network-isolate to stop spread and exfiltration; keep the machine running so volatile memory — where keys may live — survives.
- Image first, hash, chain of custody. A ransomware incident is presumptively bound for insurance, regulators, and possibly court. One acquisition serves both recovery and forensics; skipping it serves neither.
- The attacker leaves traces.
vssadmin delete shadows(Event ID 4688) ≈ detonation time; RDP brute force (4625 → Type-10 4624); cleared logs (1102). The timeline answers how they got in and what they took. - Recovery is not absolution. If data was exfiltrated, restoring your files does not un-steal it — that is a reportable breach with its own legal clocks.
Prevention is the whole point
The 3-2-1 rule, hardened to 3-2-1-1-0: 3 copies, 2 media, 1 offsite, 1 offline/immutable, 0 errors (test restores) — on separate credentials with MFA, behind a closed RDP port and a patched perimeter. A trustworthy immutable backup collapses this entire chapter into one calm sentence.
You can now…
- ☐ Explain hybrid AES/RSA encryption and reason from it to which recovery options are real and which are wishful thinking.
- ☐ Run the first-hour triage — isolate without powering off, preserve, document, resist the countdown — and scope the blast radius with an entropy/signature scan.
- ☐ Capture memory then disk, hash, and keep chain of custody before any recovery attempt destroys evidence.
- ☐ Work the five options in order — backup, decryptor, shadow copies, carving, last-resort payment — and identify the family via ID Ransomware / No More Ransom.
- ☐ State the OFAC, breach-notification, and double-extortion stakes clearly enough for a client to decide with open eyes — and design 3-2-1-1-0 backups that make recovery a footnote.
Looking ahead
Chapter 13 — The Data Recovery Business. From the bench to the business: how recovery shops price jobs and set "no recovery, no fee" expectations, how to handle clients in the worst moment of their digital lives (the wedding-photos client returns), the cleanroom-and-tooling economics, and the ethics of charging money to handle other people's most precious — and most sensitive — data.
One sentence to carry forward: When the attacker controls the only key, your recovery is exactly as good as the copies and leftovers they failed to reach — so the recovery plan was always the backup plan, built for an adversary trying to destroy it.