Hospital databases rescued from ransomware.

Feb 20, 2020

A ransomware attack with the ‘Locky’ virus had severe effects for a large German hospital.

Many servers at the hospital were paralyzed by the virus, limiting operations. Uninfected servers became affected during the panic when their power supplies were disconnected while they were still in operation. In highly complex virtualized storage systems, an improper power shutdown can result in unexpected issues. This was the case for a Dell EqualLogic PS6500ES storage array with a total of 148 professional grade 100-gigabyte hard drives. After the hospital’s IT staff and Dell’s technical support were unable to solve the problem, the specialists at Ontrack were called in to help. All of the drives were delivered to the data recovery laboratory in Germany where they were assessed.

The Dell EqualLogic PS6500ES system typically contains multiple hard drives arranged on 16 or 48 hard drive shelves and are connected together to form RAID 5 or RAID 50 systems (sub-arrays). These sub-arrays in turn are connected to ’members,’ with one or more members belonging to a logical unit (a group). LUNs are created and stored in the group, then fragmented and distributed over all members and sub-arrays. They are ‘tracked’ by a map, which in turn distributes itself to the members or to the various subarrays when it gets proportionally large. In this case our specialists discovered of those seven shelves with 148 hard drives, three shelves with 80 hard drives contained the LUN with the Oracle databases needed. However, many of the links (mappings) of the data fragments (which were distributed over all hard disks) were either corrupted or no longer available, so arranging the fragments proved to be a very difficult task. The mapping of an EqualLogic PS system is also encoded in a specific logic, so the links here aren’t easy to locate either.

The solution

To map the links, specialist engineers from other Ontrack offices developed new software tools to specifically solve the logic and corruption problems regarding the RAID and the LUN mapping.

With the help of the new tools, the engineers were able to recreate the RAID 5 and RAID 50 systems as well as display the LUN. Within this LUN a virtual hard disk (a VMDK file) was located, in which an NTFS file system with two Oracle databases were hidden. Two file layers had to be identified and recovered within the LUN before these databases could be finally exported.

The resolution

The team of ransomware data recovery engineers from several Ontrack offices were finally able to successfully extract and recover the required databases and send the data by courier to the client.

The hospital was very pleased with the mediation support from Dell to Ontrack and the fact that they finally had all their important data available again. In addition, the tools developed for this project can be used again in upcoming data recovery cases of Dell EqualLogic PS Array systems, significantly reducing future data recovery times.