Ransomware

Ransomware data recovery

Ransomware victim? Our cyber recovery experts recover your encrypted data and restore your systems with a free 3-hour diagnosis, even when backups are compromised.

Free diagnosis in 3 hours
Forensic data analysis
Recovery without paying the ransom
Compromised backups handled
Free diagnosis Estimate your recovery
Free diagnosis Quote within 3 hours Your data stays in Switzerland
Entrust My Drive
or
Estimate the cost online

How does data recovery after a ransomware attack work?

Ransomware is a type of malware that encrypts your data and demands a ransom to unlock it. This type of attack targets SMEs, large corporations, public institutions and government agencies alike.

Since 2006, SOS Data Recovery in Ins (Switzerland) has processed over 11,300 media and supported more than 8,000 clients. CyberSafe certified and rated 4.5/5 on Avis Vérifiés (249+ reviews), our team operates through our specialised entity bexxo.ch, dedicated to cybersecurity and ransomware recovery.

Our diagnosis is free and completed within 3 hours. You only pay if your data is successfully recovered. We are partners with Mobilière and Helvetia insurance for cyber incident coverage.

Anatomy of a ransomware attack

Understanding the phases of an attack helps you protect yourself and respond faster when an incident occurs.

01

How does ransomware infect your organisation?

One of the main infection vectors is phishing: malicious links or attachments in emails. Users may also be tricked into downloading malware by visiting compromised software download sites or clicking on malicious advertisements (malvertising).

02

How does the encryption of your data unfold?

File encryption is a slow process that can go unnoticed for hours. Cybercriminals often launch the attack outside of business hours — at night or on weekends — to maximise encryption time before detection. The algorithms used (AES-256, RSA-2048) are virtually impossible to break without the key.

03

Why do attackers steal your data in addition to encrypting it?

This tactic, called double extortion, has become the norm. Attackers exfiltrate your sensitive data before launching the encryption. They then threaten to publish it online if you attempt to restore from backups rather than pay.

04

What do attackers do with stolen data?

Attackers analyse stolen content to maximise pressure: selling confidential information to competitors, transmitting financial data to tax authorities, disclosing commercial agreements, or directly blackmailing executives. This is known as triple extortion.

Cyber Recovery

Why is a specialised Cyber Recovery service necessary?

Cyber Recovery is a data recovery service that intervenes after a ransomware attack — unlike traditional cybersecurity which acts as prevention.

Faced with increasingly sophisticated and indiscriminate attacks, organisations (companies, public authorities, institutions) need a partner capable of restoring their data even when backups have been compromised.

SOS Data Recovery, a data recovery specialist since 2006, responds in emergencies to recover your files and restore your systems following data recovery best practices.

2006 Specialist since
3h Free diagnosis
24/7 Emergency response

How do Bexxo and CVE Find complement our intervention?

Vulnerabilities

CVE Find

Our intelligence platform identifies exploited flaws and checks your infrastructure exposure.

  • Real-time updated CVE database
  • Customised alerts by technology
  • Infrastructure exposure verification
www.cvefind.com

What situations require ransomware data recovery?

Are you facing one of these situations? Contact us for immediate intervention.

Encryption

Files encrypted by ransomware

Your files have an unknown extension (.locked, .crypt, .encrypted) and are inaccessible. Our experts analyse the ransomware variant and attempt recovery without paying the ransom.

Lockout

System locked (ransom screen)

A message demands cryptocurrency payment to unlock access. Do not pay: payment does not guarantee data recovery and funds the attackers.

Backup

Compromised backups

Attackers target backups first (NAS, cloud, tapes). We intervene even when backup copies have been encrypted or deleted by the ransomware.

Server

Encrypted server or NAS

File servers, databases or NAS entirely encrypted. We recover data directly from the disks, bypassing the compromised system.

Exfiltration

Data theft (double extortion)

Attackers threaten to publish your sensitive data. Our forensic analysis identifies the extent of the exfiltration and supports the incident response.

Infrastructure

Network infrastructure paralysed

Active Directory compromised, workstations and servers out of service. We assist with progressive restoration of critical systems and data recovery.

How does data recovery work?

From free diagnosis to secure delivery — a transparent 4-step process, entirely performed in our Swiss laboratory.

01

Free diagnosis within 3 hours

Send your media by secure post, drop it at one of our 30 collection points across Switzerland, or bring it directly to our laboratory in Ins. Our team performs a full analysis within 3 hours of receipt — free and with no commitment.

02

Transparent quote before any work

You receive a detailed quote outlining the type of failure, recovery chances and exact cost. You approve before any work begins. Full payment on success — only attempt costs are charged if recovery fails.

03

Recovery under ISO 5 laminar flow

Our technicians work under ISO 5 certified laminar flow with specialised tools (PC-3000). Your data never leaves our CyberSafe-certified and CyberSafe partner Swiss laboratory. Duration: 2 to 10 business days depending on complexity.

04

Secure delivery of your data

Your recovered data is delivered on a new encrypted drive, or via secure download according to your preference. Original media can be destroyed on request to guarantee confidentiality.

Frequently asked questions

Our specialists answer the most common questions.

How long does data recovery take after a ransomware attack?

The recovery time after a ransomware attack varies greatly depending on the complexity of the case:

  • Ransomware already decrypted (public key available): 24 to 72 hours to apply decryption to all files
  • Recovery via intact backups: from a few hours to a few days depending on the volume of data and the state of the infrastructure
  • Forensic analysis and search for cryptographic flaws: from 1 to several weeks—some analyses require significant computing resources
  • Cases with no known decryption solution: retention of encrypted files pending a key being published later (Hive, Ragnar Locker, etc. cases)

Our emergency response service (Critical level) is available 24/7 for companies whose business continuity is compromised.

How to tell if my backups have also been encrypted by ransomware?

Modern ransomware primarily targets backups to maximize pressure on victims. Here's how to identify if your backups are compromised:

  • Network backups (NAS, backup server): check the file extension — an unknown or added extension (.locked, .encrypted, etc.) indicates an infection. Also, check the metadata (recent and unusual modification date).
  • Synchronized cloud backups: if the synchronization client (OneDrive, Dropbox, etc.) was active during the attack, the encrypted files have probably replaced the originals. Check the version history before restoring.
  • Offline backups (disconnected external drive, LTO tape): if they were not connected to the network during the attack, they are generally intact.

The 3-2-1 rule (3 copies, 2 different media, 1 offsite) with at least one air-gapped copy is the most effective protection against ransomware.

Tip

Regularly test the restoration of your backups — an untested backup is a backup whose actual reliability you do not know.

Is data recovery possible after a ransomware attack if the system has been reinstalled?

It depends on the type of storage and how the reinstallation was performed.

On a HDD (mechanical hard drive): if the disk was formatted without "secure erasure" (simple deletion of partitions), the encrypted files are often still physically present on the magnetic platters. A laboratory extraction can allow us to recover the encrypted files, which our experts will then attempt to decrypt.

On an SSD: the situation is more complex. The SSD firmware may trigger a TRIM operation automatically after formatting, permanently erasing the data. On some models or if TRIM has been disabled, partial recovery is still possible.

In both cases, the faster you act after the reinstallation, the higher the chances of recovery.

Tip

Before reinstalling the system, always create a complete image of the infected disk. This image will allow you to work on a copy and retry future decryption methods if a public decryption key is released later.

Is it possible to recover data encrypted by ransomware without paying the ransom?

Yes, in a significant number of cases. The possibility of decryption without paying mainly depends on the type of ransomware and the existence of an exploitable cryptographic flaw.

Several recovery paths exist:

  • Public decryption keys — some ransomware has been decrypted by security researchers and agencies like Europol. The No More Ransom platform (nomoreransom.org) centralizes these tools for free.
  • Flaws in cryptographic implementation — some poorly programmed ransomware have vulnerabilities that allow keys to be reconstructed.
  • Shadow Copies (VSS) — if the ransomware has not deleted Windows Shadow Copies, a restoration is possible.
  • Unaffected backups — offline backups, NAS snapshots, or unsynchronized cloud storage.

Our laboratory analyzes each case individually. A diagnosis allows us to determine which ransomware family is involved and what decryption options are available.

Tip

Do not pay the ransom before consulting a specialist. In many cases, payment does not guarantee data recovery, and you are directly funding criminal activities.

Should you pay the ransom to recover your data after a ransomware attack?

Authorities (ANSSI, OFCS, Europol, FBI) unanimously recommend not paying the ransom, for several reasons:

  • No guarantee — between 20 and 40% of victims who paid did not receive a functional decryption key
  • Risk of double extortion — attackers may exfiltrate data before encryption and threaten to publish it even after payment
  • Funding of crime — payment encourages further attacks and may expose the company to legal penalties in certain jurisdictions
  • Existing alternatives — in 30 to 50% of incidents, full or partial recovery is possible without payment

Before making any decision, consult a data recovery specialist and report the attack to the National Cyber Security Centre (NCSC) in Switzerland or to ANSSI in France.

What is a ransomware attack and how does it affect data?

Ransomware is a type of malware that encrypts the files on a computer system, rendering them inaccessible, and then demands a ransom in exchange for the decryption key. It is one of the most widespread cyber threats: according to the ENISA 2024 report, ransomware attacks increased by 37% in Europe between 2022 and 2023.

A typical attack process unfolds in four stages:

  1. Infection — via phishing, unpatched vulnerability, exposed RDP, or compromised account
  2. Reconnaissance and propagation — the malware maps the network and spreads laterally (duration: from a few hours to several weeks)
  3. Encryption — files are encrypted with an asymmetric algorithm (RSA 2048 or 4096 bits) for which only the attacker possesses the private key
  4. Extortion — a ransom note is dropped on the system with payment instructions (usually in Bitcoin)

What to do immediately after detecting a ransomware attack?

The first few hours are crucial to limit the extent of the damage. Here's the emergency procedure:

  1. Isolate infected machines — immediately disconnect from the network (Ethernet cable and Wi-Fi) to stop lateral propagation
  2. Do not restart systems — some encryption keys remain in RAM and can be extracted while the system is running
  3. Preserve traces — do not modify any system files; these elements are essential for forensic analysis
  4. Identify the ransomware — upload an encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com) to identify the family
  5. Evaluate your backups — check if your offline or cloud backups are intact
  6. Contact a specialist — an incident response expert can intervene in less than 2 hours
Tip

Document everything: screenshots of ransom messages, list of affected files, network logs. This documentation is essential for filing a complaint and for technical analysis.

The recovery time after a ransomware attack varies greatly depending on the complexity of the case:

  • Ransomware already decrypted (public key available): 24 to 72 hours to apply decryption to all files
  • Recovery via intact backups: from a few hours to a few days depending on the volume of data and the state of the infrastructure
  • Forensic analysis and search for cryptographic flaws: from 1 to several weeks—some analyses require significant computing resources
  • Cases with no known decryption solution: retention of encrypted files pending a key being published later (Hive, Ragnar Locker, etc. cases)

Our emergency response service (Critical level) is available 24/7 for companies whose business continuity is compromised.

Modern ransomware primarily targets backups to maximize pressure on victims. Here's how to identify if your backups are compromised:

  • Network backups (NAS, backup server): check the file extension — an unknown or added extension (.locked, .encrypted, etc.) indicates an infection. Also, check the metadata (recent and unusual modification date).
  • Synchronized cloud backups: if the synchronization client (OneDrive, Dropbox, etc.) was active during the attack, the encrypted files have probably replaced the originals. Check the version history before restoring.
  • Offline backups (disconnected external drive, LTO tape): if they were not connected to the network during the attack, they are generally intact.

The 3-2-1 rule (3 copies, 2 different media, 1 offsite) with at least one air-gapped copy is the most effective protection against ransomware.

Tip

Regularly test the restoration of your backups — an untested backup is a backup whose actual reliability you do not know.

It depends on the type of storage and how the reinstallation was performed.

On a HDD (mechanical hard drive): if the disk was formatted without "secure erasure" (simple deletion of partitions), the encrypted files are often still physically present on the magnetic platters. A laboratory extraction can allow us to recover the encrypted files, which our experts will then attempt to decrypt.

On an SSD: the situation is more complex. The SSD firmware may trigger a TRIM operation automatically after formatting, permanently erasing the data. On some models or if TRIM has been disabled, partial recovery is still possible.

In both cases, the faster you act after the reinstallation, the higher the chances of recovery.

Tip

Before reinstalling the system, always create a complete image of the infected disk. This image will allow you to work on a copy and retry future decryption methods if a public decryption key is released later.

Yes, in a significant number of cases. The possibility of decryption without paying mainly depends on the type of ransomware and the existence of an exploitable cryptographic flaw.

Several recovery paths exist:

  • Public decryption keys — some ransomware has been decrypted by security researchers and agencies like Europol. The No More Ransom platform (nomoreransom.org) centralizes these tools for free.
  • Flaws in cryptographic implementation — some poorly programmed ransomware have vulnerabilities that allow keys to be reconstructed.
  • Shadow Copies (VSS) — if the ransomware has not deleted Windows Shadow Copies, a restoration is possible.
  • Unaffected backups — offline backups, NAS snapshots, or unsynchronized cloud storage.

Our laboratory analyzes each case individually. A diagnosis allows us to determine which ransomware family is involved and what decryption options are available.

Tip

Do not pay the ransom before consulting a specialist. In many cases, payment does not guarantee data recovery, and you are directly funding criminal activities.

Authorities (ANSSI, OFCS, Europol, FBI) unanimously recommend not paying the ransom, for several reasons:

  • No guarantee — between 20 and 40% of victims who paid did not receive a functional decryption key
  • Risk of double extortion — attackers may exfiltrate data before encryption and threaten to publish it even after payment
  • Funding of crime — payment encourages further attacks and may expose the company to legal penalties in certain jurisdictions
  • Existing alternatives — in 30 to 50% of incidents, full or partial recovery is possible without payment

Before making any decision, consult a data recovery specialist and report the attack to the National Cyber Security Centre (NCSC) in Switzerland or to ANSSI in France.

Ransomware is a type of malware that encrypts the files on a computer system, rendering them inaccessible, and then demands a ransom in exchange for the decryption key. It is one of the most widespread cyber threats: according to the ENISA 2024 report, ransomware attacks increased by 37% in Europe between 2022 and 2023.

A typical attack process unfolds in four stages:

  1. Infection — via phishing, unpatched vulnerability, exposed RDP, or compromised account
  2. Reconnaissance and propagation — the malware maps the network and spreads laterally (duration: from a few hours to several weeks)
  3. Encryption — files are encrypted with an asymmetric algorithm (RSA 2048 or 4096 bits) for which only the attacker possesses the private key
  4. Extortion — a ransom note is dropped on the system with payment instructions (usually in Bitcoin)

The first few hours are crucial to limit the extent of the damage. Here's the emergency procedure:

  1. Isolate infected machines — immediately disconnect from the network (Ethernet cable and Wi-Fi) to stop lateral propagation
  2. Do not restart systems — some encryption keys remain in RAM and can be extracted while the system is running
  3. Preserve traces — do not modify any system files; these elements are essential for forensic analysis
  4. Identify the ransomware — upload an encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com) to identify the family
  5. Evaluate your backups — check if your offline or cloud backups are intact
  6. Contact a specialist — an incident response expert can intervene in less than 2 hours
Tip

Document everything: screenshots of ransom messages, list of affected files, network logs. This documentation is essential for filing a complaint and for technical analysis.

Page 1 / 2
Did you know?
On average, a ransomware attack remains undetected for 11 days before encryption is triggered. Why? Because attackers use this time to map your network, identify your backups and maximise impact. This is why early detection can significantly reduce damage: every hour counts to limit the scope of encrypted data.
What should you absolutely avoid?
Never pay the ransom: only 8% of those who pay recover all their data, and it directly funds cybercrime. Do not attempt to decrypt files yourself with unverified tools, as you risk permanently corrupting the data. Do not restart compromised servers. Immediately isolate infected machines from the network and contact a specialist.
Is ransomware recovery always possible?
Data recovery after ransomware is not always possible. In cases of double encryption without an available key, data may be permanently lost. If data has been exfiltrated and then deleted from the attacker's servers, no recovery is feasible. Similarly, wiper malware (which destroys data instead of encrypting it) makes restoration impossible. This is why it is essential to act quickly and contact a specialist at the first signs of an attack.
Available 24/7

Ransomware attack? We respond immediately.

Ongoing ransomware, encrypted data, paralysed infrastructure — our on-call team responds in emergencies, including weekends and public holidays. Diagnosis in 3 hours instead of the industry-standard 24-48h.

+41 840 440 840 Entrust My Drive Estimate the cost online