Ransomware VBK Recoveries on Tape - Server & NAS Systems

Written By: Ontrack

Date Published: 15 August 2022 21:23:53 EDT

Ransomware VBK Recoveries on Tape - Server & NAS Systems

The Situation

The Ransomware attacked volume was originally also used to back up data to LTO8 tapes at regular intervals. Most of these backup tapes were also in the tape library at the time of the incident and were quickly formatted by the attackers. However, the customer was able to save an original unformatted tape with a fairly old backup date, which was then completely restored to the now empty Windows volume with a total of 6 TB. Only then was Ontrack commissioned to examine data recovery options. The HP server DL380 with the 55 3TB hard disks were transported to Ontrack in Böblingen, Germany.

The Solution

During the diagnosis, a large number of the searched VEEAM vbk files were successfully found on the Windows volume with Ontrack Tools and 27 records were extracted according to a priority list. The restore of the LTO8 tape partially overwrote some of the data sets and damaged the backup files. 

The Resolution

A large part of the data could still be repaired and extracted in several steps.

Later on, 19 significantly older LTO8 quick formatted tape backups were successfully recovered too.The attack also affected numerous European sub offices of the customer. Here were predominantly QNAP NAS systems in use which had stored virtual VMs under VMware, including backup VMs that were partially deleted or internally reformatted with another file system. Ontrack was also able to successfully restore complete backup 90% of the data in the seven cases ordered.

Subscribe

KLDiscovery Ontrack Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB, United Kingdom (see all locations)