If you are reading this with encrypted files on your screen, here is the short version: more is usually recoverable than the ransom note wants you to believe. Not always, and not everything, but the answer depends on a handful of specific factors you can assess, not on luck. This guide walks through them in plain language.
Why encrypted files are often not fully encrypted
Encrypting a terabyte properly takes time, and time is the attacker's enemy. So most modern strains cheat. They scramble the first part of each large file and leave the rest untouched, or encrypt in stripes through the file. To Windows the file looks destroyed: it will not open, the extension has changed, and every tool reports corruption. Underneath, a large share of the actual data is often still there.
That is the basis of partial- recovery: measuring which regions of each file are genuinely scrambled, locating the intact structures underneath, and rebuilding them into something usable without the attacker's key. We explain the method in detail in our ransomware data recovery guide.
The factors that decide recoverability
- The strain. Families built for speed, including the Makop and Phobos variants behind the .ndm448 extension, partially encrypt large files. Slower, more thorough strains leave less behind.
- The file type. Databases, virtual disks and archives are built from fixed-size blocks with their own internal identifiers, which is what makes rebuilding possible. Small files are usually a loss, because encrypting a small file completely costs the attacker nothing.
- The size. The larger the file, the smaller the encrypted fraction tends to be. A multi-gigabyte database is a far better candidate than a folder of spreadsheets.
- What has happened since. Every rebuild, cleanup scan and restore-over-the-top overwrites material a recovery would have used. The less the affected systems have been touched, the better the odds.
What to check before anyone pays
Work the options in order: verified offline backups first, then shadow copies and snapshots, then partial-encryption recovery, then a public decryptor (check nomoreransom.org, but do not plan around it), then rebuilding from source systems such as SaaS platforms and bank records. Payment sits below all of those. It funds the offender, guarantees nothing, and in Australia it now carries its own 72-hour reporting obligation under the Cyber Security Act 2024.
What we can tell you up front
An initial assessment is quick. The strain, a sample of the encrypted files and their sizes tell us a great deal before any work begins, and we will tell you honestly what looks recoverable and what does not. A recovery effort is method and evidence, not a promise. If you are in the middle of this right now, call 1300 004 766: it is answered by a person, 24 hours a day. And whatever else happens, keep the encrypted files. Deleting them removes the option that most often saves the day.



