Hospital databases rescued from ransomware.
A ransomware attack with the ‘Locky’ virus had severe effects for a large German hospital.
Many servers at the hospital were paralyzed by the virus, limiting operations. Uninfected servers became affected during the panic when their power supplies were disconnected while they were still in operation. In highly complex virtualized storage systems, an improper power shutdown can result in unexpected issues. This was the case for a Dell EqualLogic PS6500ES storage array with a total of 148 professional grade 100-gigabyte hard drives. After the hospital’s IT staff and Dell’s technical support were unable to solve the problem, the specialists at Ontrack were called in to help. All of the drives were delivered to the data recovery laboratory in Germany where they were assessed.
The Dell EqualLogic PS6500ES system typically contains multiple hard drives arranged on 16 or 48 hard drive shelves and are connected together to form RAID 5 or RAID 50 systems (sub-arrays). These sub-arrays in turn are connected to ’members,’ with one or more members belonging to a logical unit (a group). LUNs are created and stored in the group, then fragmented and distributed over all members and sub-arrays. They are ‘tracked’ by a map, which in turn distributes itself to the members or to the various subarrays when it gets proportionally large. In this case our specialists discovered of those seven shelves with 148 hard drives, three shelves with 80 hard drives contained the LUN with the Oracle databases needed. However, many of the links (mappings) of the data fragments (which were distributed over all hard disks) were either corrupted or no longer available, so arranging the fragments proved to be a very difficult task. The mapping of an EqualLogic PS system is also encoded in a specific logic, so the links here aren’t easy to locate either.