Skip to main content

Dysk i Spółka • Ransomware incident

Ransomware: incident analysis and safe data recovery

A ransomware attack and encrypted files require stopping blind actions first. We secure the evidence, backups and attack symptoms, then assess a realistic route for data recovery or environment restoration.

Ransomware Incident analysis Backups NDA for companies

Urgent ransomware incident

Server, NAS or company computer encrypted? Stop the incident first and secure the material

Lost data after a ransomware attack? A computer, server or NAS shows extensions such as .locked, .encrypted, .crypt or .[email], and files no longer open?

Dysk i Spółka – Data Recovery Laboratory specialises in ransomware incident analysis, safe recovery of critical files and support during business environment restoration after an attack.

We first secure storage media, backups and material for analysis. Only then do we assess whether recovery, decryption, backup use or reconstruction from storage devices is realistic.

We handle cases from all over Poland — storage devices, servers and NAS units can also be sent by courier after prior contact. In urgent cases, we can start the technical interview immediately after the report.

What should you do immediately?

  • disconnect affected devices from LAN/Wi‑Fi,
  • stop automatic synchronisation and backup restores,
  • keep the ransom note, file extensions and logs,
  • write down which systems are business-critical.

What should you prepare before contact?

  • the extension name and a few encrypted files,
  • information about backups, snapshots and configuration exports,
  • environment details: computer, server, NAS and number of drives,
  • a list of actions already taken after the attack.

Why involve a laboratory?

  • we assess chances and risk honestly,
  • we secure the material and environment first,
  • confidential cases can be handled under NDA.

Fast technical decision

With ransomware, describe the incident symptoms first

After the first conversation, we will tell you what to secure, what not to do and whether the media should be disconnected, brought to the laboratory or prepared for shipping.

Service scope

What we do during ransomware incident handling

01

Full technical analysis of the attack

  • identification of the ransomware type,
  • analysis of extensions, notes and file headers,
  • checking public decryptors and known weaknesses.
02

Assessment of realistic recovery options

  • we check whether data was fully encrypted,
  • we verify backups, snapshots and previous versions,
  • we look for fragments that are still intact.
03

Real data condition assessment

  • recovery of unencrypted fragments,
  • work with HDD/SSD/NAS media after partial damage,
  • file reconstruction where it technically makes sense.
04

Support for companies returning to work

  • NAS/Synology/QNAP after an attack,
  • loss analysis and incident report,
  • advice on backups, security and ransom decisions.
05

Decryption only in controlled conditions

  • when public decryptors are available,
  • when the ransomware variant has known weaknesses,
  • when the key can be recovered from a process or copy.

Honest rules

What we do not promise

We do not promise magical decryption. First we stop the incident, secure copies, check storage media and only then indicate realistic paths for recovery or environment rebuild.

  • we do not claim that every ransomware case can be decrypted,
  • we do not sell “proprietary AES‑256 breaking algorithms”,
  • we do not charge for promises without technical basis,
  • if there is no recovery chance — we say so clearly and early.

Warning signs

Ransomware symptoms — what you see on the computer

After ransomware, the same signals usually appear: files change names, cannot be opened and the system shows payment instructions. The key is not to overwrite traces and not to make the situation worse in production, backups or snapshots.

Files have strange extensions

If documents and photos do not work and names or extensions changed — do not run “repair” tools and do not reinstall the system.

A ransom note appeared in folders

Disconnect the computer from the network, keep the note, sample files and logs. These elements help distinguish data recovery from environment rebuilding.

NAS, server or backups are encrypted

Do not restore backups to the same resource without a plan. First we need to establish when encrypted data started being written and whether snapshots are intact.

Work process

What happens after a ransomware attack — step by step

  1. 1

    Contact and initial consultation

    We briefly establish the symptoms, attack type and most important systems.

  2. 2

    Diagnostics

    We verify the ransomware type, encryption scope and recovery options. Standard diagnosis costs 0 PLN.

  3. 3

    Laboratory analysis

    We assess damage scale, decryption options and recovery potential from other data layers.

  4. 4

    Recovery quote

    After analysis, we present realistic options and a clear range based on scale and data type.

  5. 5

    Recovery work

    We work on secured copies, recover possible data and provide a clear report with limitations.

Who is this service for?

For companies

Accounting offices, medical practices, trading companies, lawyers, photographers, filmmakers and small to medium businesses using NAS/Synology/QNAP/Dell/HP systems.

For private clients

Family photos, documents, professional material and private archives.

Data we most often recover

  • DOCX
  • XLSX
  • PDF
  • JPG
  • PNG
  • RAW
  • MP4
  • MOV
  • SQL
  • CAD
  • PSD
  • accounting files

B2B scenarios

NAS, RAID, servers and databases

In a business ransomware incident, the first step is to secure material for analysis: encrypted files, ransom notes, media, backups and environment information.

If the incident involves accounting, ERP, SQL, NAS shares or RAID arrays, provide the critical systems, the last known-good backup and the actions taken after the attack during the first contact.

Why us

Why Dysk i Spółka

  • our own Cleanroom laboratory,
  • premium-class tools: PC‑3000, MRT, DeepSpar, Gardiox,
  • full confidentiality — NDA available,
  • we handle real cases, not marketing slogans,
  • we work according to the realities of cryptography and security.

FAQ

Common questions after ransomware

Can data be recovered after ransomware without paying the ransom?

Often yes — it depends on the encryption variant and the condition of the storage media. We start with securing the material and creating a sector copy for analysis.

What should I do immediately after detecting encryption?

Disconnect the device from the network, do not run “repair” tools, do not reinstall the system and contact the laboratory.

Do you help after an incident on a server or NAS?

Yes. We create media copies, analyse the data structure and choose the recovery method according to the attack scenario.

Can I remove malware myself before recovery?

Secure the data first. Cleaning without copies can remove artefacts needed for recovery or incident analysis.

Incident report

Describe the incident

Dysk i Spółka – Data Recovery Laboratory, Warsaw — Białołęka. We accept media from all over Poland, including by courier. We provide a confidential data handling process and sign NDAs on request.

Report a ransomware incident and describe the symptoms
Describe the attack symptoms — we will explain how to secure the data and what to do next.
573 532 490