Ransomware Recovery by crypto and operations experts
Full-spectrum ransomware recovery

What do I do?

1. Stay Calm. Let's recover together.

Read this before contacting the criminals! Hopefully you can get from here through #8 fairly quickly. It is important to be efficient here. Unemotional, calm, and efficient. Do these in parallel as much as you can!

2. Disconnect, but do not turn off the infected equipment (especially if it appears to be a small infection), and try to get someone on #3 below in tandem.

At this point, we want to try to limit the number of files that are encrypted if possible. Most likely, by the time you have noticed the infection, it is not limited to just one machine or file server. That is done on purpose. Do not take it as a personal fault.

3. Contact your trusted advisors to get you through this.
  • Do you have legal counsel? Even if they are not "cyber legal counsel", they likely have someone that they trust. Your other trusted advisors certainly have people they can recommend as well.
  • Do you have cyber insurance? Insurance can be extremely helpful to bridge revenue loss. You might even want to pay the ransom, and that could be covered by insurance. The insurance company may also have legal counsel with more knowledge on the subject.
  • Do you have a trusted IT (MSP) or IT Security (MSSP) partner?
    • If you outsource IT activities to a trusted IT partner or Managed Services Provider (MSP), you are going to need them for additional services that might make them work late into the evening or over weekends. Give them a call now to warn them. Feel free to give them our number as well. It is time for everyone to collaborate, not compete, to get you back in business ASAP.

      93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)

    • Don't stress if your MSP and MSSP partner isn't staffed with cryptography and malware analysis experts. A lot of the activities here are not even necessarily cybersecurity focused, while performing post-ransomware recovery. Armed with ransomware analysis and technology experts like ourselves, MSP's and MSSP's can do a LOT of the legwork to get you back in business quickly and cost-effectively. We work well with MSP and MSSP practitioners.
4. You are most likely going to need to contact law enforcement.

If you have an insurance company they will help you to orchestrate this. While they probably are not going to drag in a scruffy criminal off the street, the report will be necessary for various business activities for insurance, or even regulatory compliance.

5. Check your backups.

Your backups may be erased, no matter what your smart IT folks did. No matter how much work your IT staff has done to keep backups current, or how savvy the ransomware criminals were in deleting your backups, you need to quickly make some assessments as to how much data was lost. There is always some lost data. Unfortunately, the data you use the most, and the most recent for your in-progress business operations, is the most likely to NOT be in backups.

6. Start copying all those encrypted files off of the machines.

It might be easiest to just replace entire physical hard drives or servers. If those hard drives still have ransomware, replacing the drives with new fresh installations might be the safest and fastest way to get that server up and running again. Remember...we need to get your business operations kick started!

7. Decide whether it will be faster to get those backups working, or to stand up new machines.

Remember those backups? One of the reasons that 77% of backups fail when being tested, is because the data is not in a state that can easily bring your machines back. Your backups might not work, or might need some tweaking to get your machines working again. Make some decisions as to whether it is faster to get those backups working, or to just stand up new machines and worry about the backups later. (Or, if you are decrypting, you might just not use the backups at all.)

8. Get someone knowledgeable in communicating and negotiating with criminals.

Nowadays, the criminal is most likely a semi-technical person (or people). Think more "help desk", and less "cryptography expert". You want to have as much information about the damage they caused as possible before entering into negotiations, just like sales intelligence! Don't wait too long, though, to have your security experts engage the attacker. There is normally a time limit, and it is good to make business decisions with the ransom cost known.

  • Try to get the ransom as low as possible. Put your salesperson hat on, and play it as cool as you are able. Now you are playing poker.
  • Try to only need to get the ransom once. In many instances, the attacker doesn't know just how much damage they did, or how many files were encrypted. Remember that, this is a very personal experience for you, but the attacker might not even know the name of your company. The number of files and machines may need to be passed to the attacker. (This is where our team can help you with how much you want to reveal to the attacker, to get the best price.) You don't want to have to go back to the criminals multiple times because, just like that old car you had in school, the parts are worth more than the whole.
9. Decrypt with Confidence, & Prevent Re-infection with Ransomware Rewind.

Easy To Use

You shouldn't have to be a tech expert to decrypt. Let us handle the advanced math. We're former NSA; it is what we do.

Business Friendly Features

We know what you need during your disaster recovery process, and we've already included the functionality you need.


Lighting Fast

Hacker decryptors are slow. Like waiting a week to decrypt slow. You don't have a week. We are 5000% faster or...even faster...than the hacker decryptors.

Error Free

Hacker decryptors are REALLY buggy. Buggy means corrupting your file - then you are stuck. Our decryptors use the same careful coding your bank uses.


Our decryptors run on Linux, Mac, and Windows. Why? You need the flexibility to decrypt all data, no matter where it is, and do so safely away from your operations.

90 Days Help

We know recovery takes time. Focus on your business crisis at hand. We include 90 days free platinum support with every decryptor. We're here for you. (Unlike the hacker.)

login screenshot
Secure From Start to End

Security is in our blood. We meet or exceed compliance measures such as HIPAA and PCI with our software, starting with 2 factor login.

decryptor screenshot
Decrypt On Your Schedule

Track decryption progress with ease. Need to pause decryption halfway through? No problem! We will safely wind down our fast decryption so that no files become corrupted.


Healthcare Organization: Infected Decryptor Fixed

We paid for a decryptor, but the hackers tried to give us malware inside their decryptor. Fortunately, even though we didn't have the original ransomware, the team was able to figure out the encryption formula, and produce the decryptor I needed within a couple days.

Mortgage Processing Organization: Fast Custom Release

Cyber Crucible's standalone decryptor allowed me to decrypt millions of files over a couple days. They even released a custom version within 24 hours, because the hackers made a mistake in their encryption. They saved my business.