Ransomware decryption key from memory ?

[uhoh]

I am helping out with a ransomware incident. Some of their computers were virtual machines, and they were suspended during the ransom event (while the ransomware was encrypting). This means there is a copy of the memory at that point in time.

My understanding is that most (all?) "professional" ransomware nowadays uses public/private key encryption and also use per-file encryption keys, so even if there would be AES or RSA keys in memory, they will be of limited use?

I'd love to hear your thoughts on this avenue of recovery. I would like to share more details, but as this is a recent event I can't share details less it exposes the affected company (or the group takes issue).

[JustTryingtoHelp]

You could in theory mount the snapshots and recover individual files with some data recovery tool on another PC I guess but there's no way without looking at the ransomware itself to determine whether the decryption keys would be stored in memory or not or if there are even other protections in place like memory randomization to stop you from being able to just pluck keys from such an idea. It is an interesting idea though and in some cases it may be possible. I don't see why not. As long as you have found the keys you should be able to reverse the encryption on the files. 

*That's my understanding - I'm sure there are others here that would provide a more thorough approach/explanation. ✌️

[NeonPayload]

I know I'm late to the post, but wouldn't ransomware use some sort of public-key crypto, so that the private key never reaches the system without the victim paying?