If you see this message on the screen of an encrypted computer, the infection was caused by MerryChristmas virus.
No matter if you want to pay the ransom, or prefer to recover your data legally (alone or with our help), or have not yet made a decision, turn off your computer as soon as possible to stop the encryption, which can be still in progress.
How it happened?
According to 2017 IBM research, 59% of ransomware infections were spread using phishing emails, by opening attachment with fake invoice or other seemingly reliable but fake information.
Here you can read about a few other possible causes.
In which circumstances should I pay the ransom?
First consider, why in general you shouldn't pay the ransom:
1. You support criminals and facilitate further ransomware development, so that their next "products" can be yet more dangerous.
2. There is no guarantee that criminals will actually decrypt your files. You don't even know, if they've been caught in the meantime. According to various studies, there is between 65% and 83% chance of recovering your data this way.
3. You don't have an invoice (at most some confirmation of buying Bitcoin), so you can't deduct paid ransom from tax.
Apart from the above arguments, the question of whether to pay the ransom comes down to a simple recalculation of losses:
- - value of data, that have been encrypted (and you don't have any copies)
- - the amount of demanded ransom (including any negotiated rebate)
- - the price of data recovery done by professionals
- - losses caused by disruption of business continuity
When should I entrust data recovery to professionals?
Of course, you can try to recover the data yourself. But before you start, ask yourself a few simple questions:
1. Which tools do you want to use? Have you ever used them? Do you have any action plan?
2. Do you want to recover the data to the same drive, or do you have a separate one?
3. Should the infected computer should be still turned on?
These questions are important, because Your data in original, unencrypted form, most likely are still on the disk - statistically means, the more free space was available on each partition, the more original data are still not overwritten. But if you:
- install any programs on the same drive
- try to recover the data to the same drive
- keep Windows running (or worse: rebooting) and writing various logs and other files
...then all these actions lead to further overwriting data that otherwise would be still recoverable.
What can we do better?
1. We have all the required knowledge, experience and necessary equipment, so that we do not make simple mistakes, such as mentioned above.
2. We don't work on original drive. At the beginning we make a copy ("image") of it and work only on this copy (replicated across 4 computers), so the original drive can be immediately transferred eg. for forensic analysis, or simply formatted and reused.
3. For SSD drives, we can access redundant areas (depending on the controller model), which can contain previous versions of original data - you can't do it yourself without specialized equipment.
4. We perform data recovery with 4 different algorithms, searching disk image in different ways, which significantly increases the chances of finding files in various unusual formats, eg. license keys.
5. We have our own, proprietary tools to rebuild damaged and incomplete files in various formats:
- - JPG photos
- - SQL Server databases (both MDF and BAK)
- - PST files from Microsoft Outlook
- - ZIP archives
- - VHDX containers with virtual drives from hypervisors like Hyper-V
I would like to try - what's next?
1. Turn off the infected computer as soon as possible, remove the hard drive, pack it securely and prepare for shipment. Remember to attach shipment and invoice data inside (otherwise we won't be able to send it back).
2. Write us to firstname.lastname@example.org, so you'll get the address, to which you should send the package with the drive (this address depends on your country, so if you found us after someone's recommendation, please don't simply reuse address given to them).
3. You can also send the entire server, if the whole RAID array (other than RAID1), or SAS drives have been encrypted. In case of RAID1, send just one of the drives.
4. Typical time of full analysis is around 36 hours per 1 Terabyte. Drives are processed in FIFO queue. Please notify us earlier, if you're interested in priority analysis (details below).
5. After full analysis, you'll get emails with invoice and link to download the recovered data. You can pay in Paypal, after recovering the data.
6. If we're unable to recover anything, the whole analysis is free, and you pay only for return shipment of the drive.
Full analysis and data recovery (drive/RAID)
$190 / 1 SATA/SSD** drive up to 4TB***
Full analysis and data recovery (RAW image, uncompressed, each partition as separate file)
$15 or more (depends on country)
Connecting/assembling additional equipment****
Additional manual analysis*****
Priority work (available 24/7)
+50% for all above prices
* - preliminary analysis is always free, regardless of whether you decide to entrust us with data recovery or not; you only pay for return shipping and any additional work
** - SAS drives, or RAID arrays other than RAID1, are supported only if you send the entire server, inside which they operated (and this server has to support booting from USB) - all drives inside RAID array are treated as 1 logical drive (so you pay only for 1 drive, not eg. 5)
*** - drives over 4TB are treated as 2 or more drives (multiple of 4TB)
**** - if you send the entire server, or external drive with unusual interface/power supply, and it needs additional connecting/assembling work (eg. drives packages separately from chassis)
***** - all additional manual analysis work is carried out after agreeing with the customer - we'll contact you first and suggest, what additional improvements we can do in your case (if any)