World’s leading
Ransomware Advisory and Recovery Services

Technical advisory and custom decryption services for businesses, insurers and incident responders

We can help your organization to:

  • Recover faster
  • Minimize downtime
  • Reduce costs
  • Minimize the risk of data loss

What we can do for you

We move fast to help our clients recover their systems and get back to business in the shortest possible time. Our team of elite ransomware experts can:

Advise whether no-cost recovery is possible using existing decryption tools.

Significantly reduce recovery times in incidents involving:

  • BlackMatter
  • LockBit
  • Ryuk
  • RagnarLocker
  • MedusaLocker
  • Conti
  • Zeppelin
  • Hive
  • Mespinoza (Pysa)

Replace buggy or slow attacker-supplied tools with custom solutions that decrypt up to 50% faster with less risk of data loss.

Create workarounds that can be used to significantly reduce the ransom.

Reverse engineer attacker-supplied tools to ensure they are safe and malware-free.

Provide impeccable support, a high degree of flexibility and straightforward pricing.

Note: We do not negotiate ransoms or facilitate the payment of demands.

Our services are available on a per-incident or retained basis. Contact us to learn more.

Kind words from our clients

How it works

Pre-negotiation phase

We reverse engineer the ransomware to look for potential bugs that either allow for free decryption or make decryption impossible due to data being intentionally or unintentionally corrupted.

Post-negotiation phase

We reverse engineer the ransomware decryptor to extract keys and add support to our superior in-house decryption tool. We analyze the decryptor to check for backdoors hidden by the ransomware authors and look for bugs that might damage or corrupt data during decryption.

Post-incident phase

We can optionally provide managed and unmanaged endpoint and server protection, which is effective not only against ransomware, but all types of malware.

Retained services option

If you require ransomware expertise on an ongoing basis, you may wish to consider retaining our services, which gives you continuous access to a wide range of ransomware-related services.

Decryptor features

Built by the world’s leading ransomware experts, our decryptors are engineered to ensure data integrity and efficient system recovery.

Command line driven and fully scriptable

Ideal for remote deployment in enterprise environments. Our tools can decrypt large amounts of affected systems with minimal supervision.

Superior performance

Aggressive multi-threading and hardware acceleration of common cryptographic routines result in superior performance.

Decryption correctness and data safety

Instead of overwriting encrypted data, our tools operate on copies of data. The original data is preserved, which eliminates the need to create backups.

Decrypt files to a different location

Ideal for organizations what wish to avoid creating images or backups of encrypted data or are low on storage.

Comprehensive reporting

Proper reporting of all operations, including which files decrypted correctly and which did not, in either a human-readable format or a structured log (JSON) for convenient automated parsing.

Support for nested encryptions

Including files encrypted by multiple different ransomware families.

Support for multiple decryption keys

Allows for the same tool and key file to be deployed to all machines, no matter whether the threat actor supplied one decryptor for all machines or one decryptor for each machine.

File decryption prioritization

Ability to decrypt certain drives, folders, or files first to ensure the most important files are recovered first.

Permission handling

Proper handling and preservation of permissions and timestamps if possible.

No limits on file support

Emsisoft decryptors support files with paths longer than 260 characters and all file sizes.

Customized solutions

If the decryptor is missing certain functionality that would make your client’s restoration project easier, please inquire about customization options. Depending on requirements, there’s a good chance we can provide a tailored solution on short notice.

Decryptor performance

File decryption is almost always limited by the speed of the storage that files are decrypted from and to. A modern CPU can easily decrypt 10 GB of data per second, but most organizations will not have storage that is anywhere near that fast.

To decrypt files, our tools need to, approximately, read every file once and write it once.

Clients can benchmark their storage, get their read and write speeds, and then create an estimate specific for their setup using the formula: Amount of data encrypted / read speed + amount of data encrypted / write speed.

As a rough guideline, given commodity hardware, our tools will decrypt about 180 GB of data per hour on mechanical hard disks, about 1 TB per hour on SSDs, and about 3.5 TB per hour on NVMe drives.

Why you shouldn’t trust decryptors provided by threat actors

Poor quality

Instabilities, improper handling of permissions, problems with long paths over 260 characters, problems with files larger than 4 GB.

Potential backdoors

Reverse engineering is required to determine whether a decryptor is backdoored

Potential for data loss

Implementation errors can lead to irreversible data loss. Multiple ransomware families are known to damage files on decryption.

Inefficient UIs

Often inconvenient to use and require users to interact with GUIs or text-based menus, which make it difficult to decrypt many systems in parallel.

All or nothing decryption

Partial decryption is often not possible, which means everything that comes before the important data must be decrypted first.

Why work with us

Emsisoft has been leading the global fight against ransomware for the past eight years. We collaborate with law enforcement agencies to interrupt cybercriminals’ revenue streams and our ransomware decryption tools have helped individuals and organizations avoid more than $1 billion in ransom demands.

We have broken more ransomware families and created more decryptors than anyone else in the industry and know how to navigate the pitfalls associated with decryptor development. Europol’s No More Ransom Project named Emsisoft as its largest provider of ransomware decryptors.

Our team is compromised of the world’s leading ransomware experts and includes:

Fabian Wosar

Known in the industry as one of, if not the, best ransomware expert.” – BBC News. Fabian has discovered decryption mechanisms for more strains of ransomware than anyone else on the planet.

Michael Gillespie

Described by ProPublica as a “Ransomware Superhero” and recipient of the FBI Director’s Community Leadership Award for his work on ransomware decryption.