Plymouth Data Recovery — Ransomware Decryption & Forensic Data Recovery (25+ years)

Plymouth Data Recovery provides professional ransomware investigation, decryption and data recovery for laptops, desktops, external drives, NAS, and RAID servers. We handle families such as WannaCry, LockBit, REvil/Sodinokibi, and many others. Our lab operates forensically: we stabilise systems, take read-only images, reconstruct keys or storage stacks on clones, and validate every recovered file with hashes. Free diagnostics available; priority/critical service also offered (case-dependent).

Scope & ethics: We never distribute malware or “improve” it. If negotiation is considered, it’s handled by the client or vetted incident-response partners, with strict legal/insurer guidance. We test any decryptor in a sandbox on images—not the originals—before use.

Our forensic workflow (condensed)

1. Isolate & preserve: Pull power/network if safe; snapshot volatile memory (where feasible); full disk imaging (bit-for-bit, including slack/unallocated, VSS areas).

2. Identify strain & variant: Static markers (ransom notes, file extensions, magic bytes), YARA matches, PE/ELF triage, config extraction.

3. Hunt for keys & weaknesses: RAM, pagefile/hiberfil, registry/hives, keybags/DPAPI, process dumps, temp/working folders, crash dumps.

4. Attempt decryption / recovery: Leaked or family decryptors, crypto flaw exploitation, partial-encryption reversal, snapshot/replica restore, CoW filesystem rollbacks.

5. Logical rebuild: Filesystem repair (NTFS/APFS/ext/XFS/ReFS/Btrfs), VM/LUN reconstruction (VMFS/VHDX/VMDK/iSCSI), app-store repairs (Exchange/SQL/Photos/Office).

6. Validation & reporting: SHA-256/MD5 per-file, sample opens, chain-of-custody, IOC pack for IR teams.

50 technical techniques we use to decrypt or recover ransomware-affected data

Format: Technique → What we exploit/inspect → Professional lab method

Key discovery & crypto weaknesses (1–14)

1. RAM key extraction → In-memory AES/RSA/ECC material → Live or post-incident RAM imaging; Volatility/ Rekall to dump ransomware process space; hunt for CryptoAPI contexts, session keys, ECDH secrets; validate on cloned sample set.

2. Pagefile/hibernation scrapes → Keys spilled to disk → Parse pagefile.sys/hiberfil.sys; carve ASN.1 key structures; test against encrypted blocks.

3. DPAPI master-key pivot → Encrypted config/keys → Extract user/machine DPAPI master keys; for domains, use DPAPI backup key (with AD permissions) to decrypt ransomware’s saved key blobs.

4. Poor PRNG/seed reuse → Predictable keys/IVs → Static code review; detect GetTickCount()/time-based seeds; brute feasible spaces; confirm with ciphertext-plaintext pairs.

5. IV/nonce reuse → AES-GCM/CTR catastrophic reuse → Known-plaintext on file headers (ZIP/PNG/Office); compute XOR stream; recover plaintext/key material in parts.

6. Padding/oracle logic bugs → Faulty AES mode checks → Side-channel on decryptor; craft ciphertext to reveal key validity; derive missing parameters for batch decrypt.

7. Hard-coded test keys → Debug leftovers → Binary diff across samples; locate embedded RSA/ECC test keys; apply to victim set in lab.

8. Config/locker leakage → Local config saves victim key → Parse %ProgramData%, %AppData%, /tmp; recover per-victim keys or C2 endpoints; validate.

9. Leaked private keys → Opsec failures / public releases → Test leaked keysets offline on small encrypted corpus; never contact C2.

10. Key reuse across victims → Botched per-victim generation → Cross-case comparison; if same public key seen with different IDs, try prior private key; confirm safely.

11. Weak ECDH parameterisation → Bad curve/nonce → Recover scalar via lattice/nonce bias; confirm with trial decrypt of per-file headers.

12. RC4/XOR stub stage → Pre-encryptor used only on headers → Reverse stub; reconstruct per-file header; rebuild containers (ZIP/7z/Office) then content.

13. Partial-encryption policy → First N MB only → Salvage tails; re-index media/DB files; for DBs, rebuild pages beyond header blocks.

14. Insecure decryptor from actor → Key exposed during run → Contain in air-gapped sandbox; instrument API calls to capture session keys; use captured keys on images, never live hosts.

System artifacts & OS recovery (15–25)

15. VSS snapshot recovery → Not all snapshots wiped → Parse System Volume Information & VSS diff area directly from raw image; mount older snapshot; export clean files.

16. NTFS journal replay → $LogFile / $UsnJrnl before wipe → Roll filesystem back to last consistent transaction; restore pre-encrypt versions.

17. APFS checkpoint rollbacks → Copy-on-write history → Walk APFS checkpoint superblocks, select coherent epoch, mount read-only, export.

18. Btrfs/ZFS snapshot export → CoW subsystems → Import datasets readonly; scrub checksums; zfs rollback/btrfs restore equivalent on image.

19. HFS+ journal & catalog fix → Older Macs → Journal replay on clone; rebuild B-trees; recover pre-encrypt files.

20. ext4 backup superblocks → Linux hosts → fsck-like repair on image using alternate superblocks; recover from pre-encrypt metadata.

21. Windows Previous Versions/Shadow Copies → Server shares → Enumerate with vssadmin/NTFS metadata parsing on image; export prior versions.

22. Registry hive forensics → Startup entries & config → Extract ransom config, timestamp activity, find local key caches/paths for Stage-2.

23. Mac Time Machine local snapshots → .MobileBackups & sparsebundles → Rebuild band files, index snapshots, export unaffected data.

24. WMI/Task Scheduler traces → Timelines and drop paths → Locate staging dirs with originals (actors often zip before encrypt).

25. OneDrive/Dropbox local cache → Sync engines → Recover local sync caches/conflicts; query cloud version history if enabled.

Storage layer, NAS/RAID & virtualisation (26–35)

26. SAN/iSCSI LUN rollback → Thin-provisioned back-end → Recover LUN sparse file; mount guest FS; export pre-encrypt extents.

27. VMFS/VHDX/VMDK chain rebuild → ESXi/Hyper-V → Fix descriptor/parentCID; mount VM disks; recover guest data even if host share encrypted.

28. RAID parity reconstruction → Abort live rebuilds → Image all members; assemble virtual array (order/chunk/parity); repair guest FS.

29. Synology/QNAP snapshots → Btrfs/ZFS/EXT + snapshotting → Export snapshot trees (often missed by actor scripts); verify by checksum.

30. NAS LUN file carving → File-based LUN on EXT/Btrfs → Carve LUN extents, reassemble; mount guest NTFS/exFAT/APFS; restore.

31. Dedup appliance restores → Backup appliances → Rehydrate deduplicated blocks from pre-incident epoch; compute hash map to reconstruct files.

32. Object-lock immutability → S3 with WORM → Pull clean objects by version ID; rebuild buckets/manifests.

33. SQL/Exchange log replay → Datastores encrypted mid-flight → Roll transaction logs on clean copy; repair DB pages; export.

34. DFS-R/roaming profile remnants → Server shares → Mine staging folders & conflict/backlog areas for clean copies.

35. Tape/offline rotation ingestion → LTO/air-gapped → Index catalogues; selective restore of critical datasets; hash-compare to confirm integrity.

Decryptor acquisition & safe use (36–41)

36. Public decryptors (safe sources) → For specific families → Validate hash/signature; run in isolated VM against images; test on sample set before batch.

37. Actor-provided decryptors → Only if legally approved → Sandboxed execution with syscall/API tracing to extract keys; never run on originals; snapshot and revert on failure.

38. Keyspace partitioning/brute for weak configs → Only when feasible → Distributed cracking for short passphrases/weak PRNG; early-abort via known-plaintext checks.

39. C2-independent key derivation → Offline KDF replication → Reimplement KDF from sample; derive per-file keys with captured salts/nonces; batch decrypt.

40. Partial file header repair → Media/Office containers → Rebuild MOOV/ftyp atoms, ZIP central directory, PDF xref tables; recover readable payload even without full decrypt.

41. Whitelist-based recovery → Actor exclusions (e.g., *.dll, system dirs) → Harvest system-excluded folders for in-app caches, thumbnails, working sets.

Application-aware recovery (42–46)

42. Office autorecovery & temp stores → *.asd, .wbk, ~.tmp → Rebase recovered temp to final docs; metadata sanity checks.

43. Outlook/Exchange → OST → PST conversion; EDB repair; recover per-mailbox with hash audit.

44. Design/Media → Adobe/DaVinci → Rebuild project bundles; relink assets; stitch fragmented MP4/MOV/MXF by GOP/PTS.

45. Databases → InnoDB/SQL Server → Page-level salvage; redo/undo log processing; consistency checks.

46. Source control caches → Git object DBs → Extract .git/objects; rebuild refs; restore worktrees.

Post-incident & special situations (47–50)

47. BitLocker misuse by actors → FVEK still retrievable → Use recovery key/TPM protectors to unlock BitLocker volume on clone; export.

48. Locker bootkits (MBR/VBR) → Boot hijack only → Restore boot code on clone to mount FS; copy clean data; do not “fix” original.

49. Linux encryptors running as non-root → Permission blocks → Recover untouched root-owned data; roll snapshots; fix ownership on export.

50. Cloud SaaS versioning → M365/Google Workspace → Restore prior versions with admin scopes; export audit trail; cross-hash with local restores.

What we need to help you fast

• Family/variant if known (note, URL, extension), samples of encrypted files + original copies (if any), ransom note, time of first encryption.

• System type (Windows/macOS/Linux, NAS/RAID/VM), encryption/BitLocker/FileVault status, and whether systems were powered off.

• Any actions already taken (AV cleanup, “decryptor” attempts, chkdsk/fsck, VSS deletions).

Why Plymouth Data Recovery

• 25 years of forensic data-recovery experience across endpoints, NAS, SAN and virtual platforms

• Crypto-aware engineering (DPAPI, KDFs, ECDH/RSA/AES modes, CoW filesystems)

• Forensic-first process (cloned media, chain-of-custody, per-file hashing)

• Collaboration with IR/legal/insurers; optional priority turnaround where device condition allows

• Free diagnostics with clear options before work begins

Talk to a ransomware recovery engineer

Contact Plymouth Data Recovery today for a free diagnostic. We’ll preserve evidence, hunt keys and weaknesses, and recover your data with forensic-grade care.