Technical whitepaper · Case study
Reading around ransomware: recovering data and evidence from partially encrypted files.
How a business database and a domain controller were recovered from a ransomware attack without paying and without breaking the encryption, and the validation and investigation discipline that made the outcome trustworthy.
Abstract
The short version of a hard recovery.
Organisations hit by ransomware are usually told that their only options are to restore from backup or to pay for a decryption key. When backups have failed and no key is available, the data is written off. This paper documents a different outcome, drawn from a real engagement, and the discipline required to reach it safely.
The enabling weakness is partial encryption: to run quickly on large files, many ransomware families overwrite only the front of each file and leave the bulk of the payload intact. Nothing in this work breaks the cryptography. The recovery reads around the damage rather than attacking the mathematics, exploiting a weak implementation rather than a weak cipher.
We then argue the central point: a recovery that reports success is not a verified recovery. And because the same reading of intact structures recovered the system logs, the effort became an investigation as well as a recovery.
Keywords: ransomware, intermittent encryption, partial encryption, data recovery, data validation, incident response, digital investigation, indicators of compromise.
Key findings
What the case actually shows.
Partial encryption is a recovery opportunity
To run fast, ransomware overwrites only the front of large files and leaves the bulk of the data intact. The recovery reads around the damage. It never breaks the cipher.
The technique fits the artefact
A database is rebuilt by page-level carving of its intact pages. A virtual disk is recovered by computing its layout and reading the intact filesystem directly: whole files, not fragments.
A recovery is not a verified recovery
Carving tools report success and hand back data that looks complete but is quietly wrong. Only reconciliation against a point-in-time baseline separates real data from artefacts.
Recovery doubles as investigation
The same reading of intact structures recovered the system logs, which established the indicators of compromise and reconstructed exactly how the attack unfolded.
The outcome
Around three-quarters of the records returned, without paying, without the attacker's key, and without breaking the encryption.
Foreseeable, and foreseen
The controls that would have prevented it were unremarkable, and a prior security assessment had predicted the attack path exactly.
The dangerous failure mode is not a recovery that errors. It is one that succeeds and lies.
The paper's central argument.
The idea in two diagrams
Read around the damage, never through it.
Inside the full paper
Nine sections, fully worked.
The complete case study, with the concrete disk offsets, the crypto construction, the validation checks, and the investigation discipline, is in the whitepaper.
Download the PDF12 pages · ~15 min read
- 01
Background
Partial encryption, and the principle of reading around the damage rather than through it.
- 02
Recovery methodology
Establishing which regions survived, the two recovery techniques, and rebuilding.
- 03
Validation
Why a recovery that reports success is not a verified recovery, and the two checks that catch it.
- 04
The engagement
The three recovery mechanisms across a database, a domain controller, and the initial foothold.
- 05
Establishing what happened
Confirmed versus indicated, multi-source corroboration, and the credential-cascade blast radius.
- 06
Results and honest limits
What the approach returns, and plainly where it does not apply.
- 07
Prevention
The controls that would have stopped it, and the fact that the path was foreseen.
- 08
Reporting obligations
How recovery sits alongside breach-notification and payment-reporting duties.
How to cite
Balloot, R. (2026). Reading around ransomware: recovering data and evidence from partially encrypted files. IronSights, Sydney.
About the author
Ryan Balloot is the managing director of IronSights, a Sydney cyber security firm he founded out of a passion for securing small business, and a Microsoft Certified: Cybersecurity Architect Expert. Contact [email protected] or 1300 004 766.
In an incident now?
Hit by ransomware? You might not have to pay.
If your backups are gone and a ransom is on the table, talk to us before you pay. We assess what is recoverable and what your obligations are.
