Ransomware Recovery and Incident Response (LockBit, Royal, BlackCat, Conti, and Known Families)
in Allegheny County, PA

The first hour of a ransomware incident is about stopping the bleeding, not restoring data, and recoveries that skip containment frequently get re-encrypted partway through. The threat actor is often still present on the network when the customer discovers the encryption, with persistence mechanisms, additional footholds, and sometimes a scheduled re-encryption or a data-exfiltration process still running. Our intake sequence isolates the affected environment from the internet and from unaffected network segments, identifies which systems are encrypted and which were missed, and locates and removes the threat-actor presence (scheduled tasks, new admin accounts, remote-access tooling, persistence in startup and services) before any restoration is attempted. Restoring clean data into an environment the attacker still controls just hands them a fresh set of files to encrypt; containment has to come first.

When usable backups exist, restoration is the preferred path because it returns the customer to operation without decryption uncertainty and without engaging the threat actor at all. The critical word is verified: modern ransomware operators specifically hunt for and encrypt or delete backups before triggering the visible encryption, so the existence of a backup is not the same as the existence of a clean backup. We triage the backup landscape to identify which media survived intact (offline backups, immutable cloud backups, air-gapped media, and backups on systems the attacker's credentials couldn't reach are the usual survivors; backups on the same domain and network share as the production environment are the usual casualties), verify the surviving backups are themselves uninfected before restoring from them, and rebuild the environment from the most recent clean restore point. We then close the gap between the last clean backup and the encryption event using the forensic-recovery path where possible.

A meaningful number of ransomware families have working decryptors available through legitimate channels, and checking is always worth doing before assuming the encrypted data is lost. The LockBit 3.0 keys were released by international law enforcement in 2024; Conti, REvil/Sodinokibi, GandCrab, Akira (under specific conditions), and a growing list of other families have decryptors published through the No More Ransom project, the FBI, CISA, and vendors like Bitdefender, Kaspersky, Emsisoft, and Avast. We identify the family precisely from the ransom-note artifacts, the encrypted-file extensions and signatures, and the encryption behavior, then check the current decryptor availability for that exact family and variant. When a decryptor exists, we validate it against an isolated copy of a few encrypted files first to confirm it actually works on the customer's specific variant before running it against the full data set, because a wrong-variant decryptor can corrupt files it can't actually decrypt.

Ransomware encryption is rarely as complete as the ransom note claims, and a forensic sweep for un-encrypted copies often recovers more than the customer expects. We check the surfaces ransomware commonly fails to reach: Volume Shadow Copies that survived (some families delete them, many fail to delete all of them or miss copies on secondary volumes), OneDrive, SharePoint, and Google Drive version history (cloud platforms retain prior versions that can be rolled back even after the local files were encrypted and synced), files on disconnected or offline media the attacker's network access couldn't reach, email and attachments still sitting on the mail server, and cold-storage archives. This path frequently bridges the gap between the last clean backup and the encryption event, recovering the most recent work that a backup-only restore would lose.

Recovering the data without finding how the attacker got in just resets the clock until the next incident, often by the same actor through the same door. As part of the recovery we identify the initial access vector (the standard candidates: a compromised RDP or VPN credential, an exposed remote-access port, a phishing email that delivered a loader, an unpatched internet-facing vulnerability, a compromised managed-service or supply-chain connection), trace the lateral movement and privilege escalation the attacker used, and document the timeline. The customer comes out of the engagement with a written account of how the breach happened and a prioritized remediation list (MFA on remote access, RDP off the public internet, the specific patch that was missing, the credential that was exposed) so the rebuilt environment closes the door the attacker actually used rather than guessing.

A ransomware incident usually triggers obligations beyond the technical recovery, and the documentation those obligations require is far easier to produce during the incident than reconstructed afterward. If the customer carries cyber-insurance, the carrier has notification deadlines, approved-vendor requirements, and evidence expectations that the recovery has to be run against from the start; we coordinate with the broker and carrier in parallel with the technical work and document the incident to their requirements. Where the breach involved protected data (PHI under HIPAA, personal information under state breach-notification laws, payment-card data under PCI), the regulatory notification obligations turn on findings the forensic work produces (what data was accessed, whether it was exfiltrated, how many records). We document the incident timeline, the affected data, the containment and recovery actions, and the attack vector in a form the customer's counsel, carrier, and any required regulator can rely on.