A business client’s HP server ran RAID 10 — mirrored and striped, redundant by design — and ransomware walked straight past all of it: redundancy protects against dying disks, not hostile software, and the mirrors had faithfully replicated the encryption. Vital files locked, ransom note in place, operations stopped.
First moves were containment: the array came off the network before anything else, and every disk received a forensic copy so that no recovery step would touch the infected originals. The physical layer, notably, was healthy — this was a purely software-borne disaster — so the RAID 10 was rebuilt virtually from the copies and intact, unencrypted material extracted first from the mirrored pairs. Then the encryption itself: the strain was identified from its notes, extensions and behaviour, and it proved to be one with a working decryption route — applied against the copied data, never the originals, with results verified file by file as they unlocked.
98% of the business’s critical data was restored without a penny reaching the attackers, and the engagement closed with the hardening conversation every ransomware survivor needs: endpoint protection, genuinely air-gapped backups that malware can’t reach, and monitoring that raises alarms early. Two honest footnotes travel with this file: mirrors mirror everything, encryption included — RAID is not backup; and decryption succeeded here because this strain had a known route, which is exactly why identification comes before promises on every ransomware job.
Hit by ransomware? The order of operations decides everything — isolate, preserve, identify, and pay nobody. The ransomware page walks the first hour. The first step never changes: a free diagnostic and a fixed written quote before anything is at stake — or call 0131 202 0491 and describe what happened.