IronSights

Ransomware data recovery · Australia · 24/7

Hit by ransomware? You might not have to pay to get your data back.

A lot of ransomware encrypts for speed, not thoroughness, so most of the data underneath is often left intact. We recover it, including .ndm448 (Makop/Phobos) files, without the attacker's key and without paying the ransom.

Australian incident response, answered by a real person 24/7. The first hours decide how much can be saved, so the sooner you call, the more we can bring back.

Hit right now?

Do this first. It changes what we can recover.

Do

  • Isolate affected machines (unplug the network cable or turn off Wi-Fi), but leave them powered on.
  • Keep the encrypted files and the ransom notes. They are often recoverable, and deleting them removes that option.
  • Take your backups offline before anything else can reach them.
  • Call us before you change anything. The first moves decide what can be saved.

Don't

  • Don't wipe, re-image or rebuild the affected machines yet.
  • Don't run removal or "cleanup" tools over the top of the evidence.
  • Don't pay the ransom yet. You may not need to, and payment carries its own obligations.

The recovery method

Why some ransomware-encrypted data comes back without paying.

A lot of modern , including the Makop/Phobos family behind .ndm448, is built to encrypt quickly. On a large file it scrambles only the front and leaves the rest of the data untouched. The file won't open, so it looks lost. Most of it usually isn't.

That is why big, structured files survive best. Databases, virtual disks and archives are laid out in fixed-size blocks with their own headers and IDs. When only the front is scrambled, the intact blocks deeper in the file can be found and put back in order.

Map the damage

We measure how random each part of a file is: its entropy. Encrypted regions read as near-random; real data does not. That tells us how much of each file is genuinely encrypted, which is often only a small slice at the front.

Find the intact data

We locate the untouched data blocks by their signatures and internal identifiers, the fixed-size structures that databases, disks and archives are built from.

Carve and reassemble

We pull out the surviving blocks and rebuild them in the right order using their own internal IDs, working around the parts that were scrambled.

Rebuild into something usable

For a database, we reassemble the recovered structures into a fresh, sound database on a clean server.

Validate and reconcile

We check the rebuilt data against known-good references (row counts, record samples, schema) and keep what is confirmed clearly separate from anything uncertain.

The honest result

Done well, this recovers part, and sometimes the large majority, of the records without the attacker's key. It works best exactly where the damage hurts most: large, business-critical databases.

The limits, stated plainly

It depends on the strain using partial encryption; some encrypt everything. Small files that are encrypted end to end recover less reliably than large ones. Recovery is case dependent, never guaranteed, and always validated and signed off before it goes back into production.

A recent recovery

In a recent engagement for an Australian organisation, every conventional option had failed. The offline tape backups were corrupted, the on-site backups were encrypted, and the shadow copies were gone. Using partial-encryption recovery, we rebuilt the organisation's critical business database, millions of records across more than a thousand tables, without paying the ransom.

★★★★★
IronSights provided exceptional support during a mission-critical ransomware incident. From the outset, their team was personable, calm and highly professional, while also being incredibly skilled and relentless in their approach. They treated every decision with the level of care and precision the situation demanded, worked through the technical detail thoroughly, and never took shortcuts. Their ability to balance urgency with discipline gave us real confidence during an extremely difficult time. I have worked with many technology providers over the years, but I have never been as impressed by a company as I was with IronSights. I would strongly recommend them to any organisation needing serious cybersecurity expertise, particularly when the stakes are high.
AndrewGoogle review

Where recovery comes from

The order we work through, before anyone talks about paying.

Paying is the last resort, not the first. We work down this list, and partial-encryption recovery is often where it ends.

  1. 1Clean, verified backups held offline or as immutable copies.
  2. 2Volume shadow copies or snapshots, if they weren't deleted in the attack.
  3. 3Partial-encryption recovery, the method above, and often the one that saves the day when the backups are gone.
  4. 4A public decryptor, on the rare occasion keys leak or the strain has a known flaw.
  5. 5Rebuilding from source systems where the data still exists elsewhere.

First hours

What to do in the first hours of a ransomware attack.

Preserve, then contain

Disconnect affected machines from the network but keep them on. Hold on to encrypted files, ransom notes and logs. They are evidence, and they are often recoverable. Take backups offline and check whether they are intact before you trust them.

Don't make it worse

Don't rush to pay. Don't run cleanup tools or restore over the top of the evidence. And don't assume the ransom note is telling the truth. Data-theft claims are frequently a bluff, and should be assessed rather than accepted.

Your obligations in Australia

If personal information was accessed, the Notifiable Data Breaches scheme may require you to assess and notify the OAIC. If you pay a ransom, the Cyber Security Act 2024 requires a separate payment report. Report the incident to the ASD's ACSC via ReportCyber. This is general guidance, not legal advice, so get your own counsel.

Common questions

Ransomware recovery, answered.

Files encrypted right now? Call 1300 004 766, or email hello@ironsights.com.au.

  1. Can you recover files encrypted by ransomware without paying?

    Often, yes, where the only partially encrypts files. Many strains scramble the front of large files and leave the rest intact, so the untouched data can be located and rebuilt without the attacker's key. It depends on the strain and the files involved, so it is a recovery effort rather than a guarantee.

  2. What is a .ndm448 file, and can it be recovered?

    A file with the .ndm448 extension has been encrypted by a variant of the Makop/Phobos family (Microsoft detection Ransom:Win32/Phobos.PB!MTB). Because that family encrypts for speed, large .ndm448 files, especially databases, are frequently good candidates for partial-encryption recovery.

  3. Should I pay the ransom?

    Not before you have to. Payment funds the offender, carries no guarantee your data comes back, and may be unnecessary if the data is recoverable. In Australia, paying also triggers a separate reporting obligation. Let us assess what can be recovered first.

  4. Are my backups safe to restore after ransomware?

    Check before you trust them. Attackers routinely encrypt or delete backups they can reach. Take backups offline, confirm they are intact and clean, and restore into a known-good environment rather than over the top of a compromised one.

  5. Do I have to report a ransomware attack in Australia?

    Possibly. If personal information was accessed you may need to assess and notify the and affected people under the . Unauthorised access can be enough. If you pay a ransom, the Cyber Security Act 2024 requires a separate payment report. This is general guidance, not legal advice; seek your own counsel.

  6. How long does ransomware recovery take?

    It varies with the size and state of the data. Initial containment and assessment happen straight away; rebuilding a large database is measured in days, not minutes. We give you a realistic picture early, and we separate what is confirmed recovered from what is still being reconciled.

The IronSights incident response team in Australia

Answered 24/7

Speak to our incident response team.

If your files are encrypted right now, call us. The sooner we preserve what's there, the more we can bring back. A real Australian responder, any hour.