The Situation: ransomware attack
A client recently experienced a remote ransomware attack that resulted in Ontrack engineers being presented with one of their most extraordinary data recovery efforts to date: restoring 120 damaged HDDs within an IBM SVC Storwize v7000 system…with no backup to rely on.
The Solution: Extensive research, adjusted recovery tools to rebuild DRAID
After noting the critical nature of the project, Ontrack’s data recovery experts proceeded with a comprehensive process to potentially restore the deleted data:
-
Consultation
The Ontrack team was able to join the client’s team and scope the data loss event and the storage systems impacted. Based on the scope set forth, Ontrack was able to determine a project plan, set timing expectations and determine costs for data recovery.
-
Diagnosis
Data recovery engineers used Ontrack’s proprietary tools to analyze the disks, determine the likely array configuration as well as detect indications of Windows storage space and VMware storage virtual machines.
-
R&D Simulation and Software Programming
After the initial diagnosis, engineers analyzed a minimal hardware setup of the IBM SVC Storwize v7000 as a means of detecting the layout of on-disk structures used to map Raid Arrays, including managed disks, SVC pools, virtual disks, and physical disks (=LUN).
Ontrack then began to work closely with the client’s IT department to get the hardware running on a new setup of the IBM SVC Storwize v7000 system.
Simulations were performed to see if the client’s environment could be recreated on the live hardware and if any structure could be found to possibly reconstruct the deleted data. All findings regarding the simulated structures were compared to the structures on the original hard drives.
A positive prediction was formed based on the comparison of the structures, and Ontrack was able to move forward with the creation and modification of proprietary tools to extract functional storage systems and proceed with successful SAN system data recovery.
-
Data Recovery
With an enormous challenge ahead of them, Ontrack’s data recovery experts performed extensive research on IBM’s proprietary software which resulted in engineers modifying their recovery tools to allow for the virtual rebuild of the DRAID that was in use on the IBM system.
Figuring out the distribution patterns for DRAID proved to be the most intricate part of the recovery process, given that all of the data sitting on the DRAID6 MDisk was combined with a number of other MDisks and dynamically allocated multiple levels of both VDisks and Dynamic Disks.
Once the array was virtually rebuilt, the Ontrack team was able to virtually rebuild the volumes, transforming them into 1,152 devices in order to display the overall layout of available data contained within to generate reports for the client and complete the IBM Storwize data recovery.
The Resolution: data recovery solution IBM Storwize systems is now available
When the client initially introduced the issue, there was little hope for full (if any) recovery given the complex nature of the IBM Storwize data storage system. However, thanks to the diligence of our engineers, an unprecedented Ontrack data recovery solution for all IBM Storwize systems is now solely available via Ontrack.
More information:
Data Recovery after cyber attack
Server Data Recovery
RAID Data Recovery