Obtaining decryption keys by illegal or covert means (breaking encryption, hacking criminals, or otherwise evading law enforcement) is against the LAW. However, if you’re a victim of ransomware or helping one, there are lawful, practical ways to try to recover files without paying attackers — including free, legitimate decryptors‘ released by security vendors or keys recovered by law enforcement.
Immediate, safe steps to try to recover files (and preserve evidence)
a.) Isolate the infected systems — disconnect from networks (unplug Ethernet, disable Wi-Fi) to prevent spread, but do not power off systems if doing so would destroy volatile forensic evidence.
b.) Preserve evidence — make forensic copies (images) of affected drives and collect ransom notes, encrypted file samples, and any displayed attacker IDs. This helps identification and law enforcement.
c.) Identify the ransomware family — upload a ransom note or an encrypted sample to a trusted identification service (it will tell you the strain and whether known decryptors exist). This is crucial because many decryptors only work on specific families.
d.) Check reputable free decryptor repositories — if the strain is known and a weakness/decryptor exists, well-trusted projects publish tools you can safely use (No More Ransom, Emsisoft, Kaspersky, etc.). Only download tools from those official pages and follow their instructions.
e.) Report to law enforcement and national cyber agencies — report the incident (FBI IC3 in the U.S., local police, national CERT/CIRT). Many agencies collect intelligence that can lead to recovered keys or takedowns. In some high-profile takedowns, law enforcement seized keys and made them available to victims.
f.) Do not blindly run unknown “decryptors” — untrusted tools can introduce more malware or permanently damage files. Use only tools from reputable vendors or official projects.
g.) Check backups — if recent, clean backups exist, restoring from them is usually the fastest, safest recovery path. Validate backups before restoring.
h.) Contact experienced incident responders — if the data or systems are critical, hire a professional IR / forensic team. They can help identify the strain, attempt safe decryption, restore systems, and liaise with law enforcement and insurers.
Where to look first (trusted resources)
i) No More Ransom — repository of official decryptors and guidance for victims. Start here after identifying the strain.
ii) ID Ransomware — free identification service: upload ransom note or encrypted file sample to learn which family targeted you.
iii) Emsisoft / other vendor decryptor pages — lists of free decryptors for many older/weak ransomware families (download only from their official pages).
iV) CISA / national CERT guidance (or your country’s equivalent) — practical, authoritative incident response steps and reporting options.
V) Law enforcement reporting portals — e.g., FBI IC3 in the U.S.; reporting is important even if you’re not in the U.S. because cross-border investigations happen.
About paying ransom and “getting a key”
1.) Paying the attacker is risky and does not guarantee decryption — attackers can provide a nonworking key or demand more. Paying also funds criminal activity and can make you a repeat target. No More Ransom and law enforcement strongly discourage paying when alternatives exist.
2.) In some cases, law enforcement or security researchers have obtained decryption keys (e.g., via takedowns or seizures) and published them or supplied them to victims — which is why reporting matters. But this is not something the public can force; it depends on criminal investigations.
Quick checklist you can follow right now
- Isolate affected machines.
- Capture screenshots of ransom notes and take photos of messages.
- Copy (not modify) encrypted file samples and ransom notes to a clean USB.
- Upload samples to ID Ransomware.
- If ID Ransomware or vendors show an available decryptor, download only from the vendor/No More Ransom pages and follow instructions.
- Report to your local law enforcement and national cyber agency (CISA/IC3 in the U.S. or local CERT).
- Engage an IR firm if the incident is high impact.
