Ransomware Recovery – Veeam Agent for Windows

The Client

The Situation

A health care customer was affected by a ransomware attack that not only targeted their server data, but also “Veeam Agent for Windows” backups located on an external HDD. Their IT / managed services provider agreement did not include regular off-site backups, so this was the only copy of the data that existed.

The Solution

 

The customer was able to send the affected HDD to Ontrack, where an image of the drive was taken to preserve the original state of the customer media.

Ontrack engineers assessed the damage to the affected Veeam backup files and identified that partial recovery would be possible as the files had not been fully encrypted, meaning there was a chance that some data could be recovered from within the files. However, it was determined that the version of Veeam used was newer than Ontrack could support with current tools and required development assistance.

With a global engineering presence, as well as internal development teams that maintain and improve our proprietary tools, Ontrack was able to research, develop and implement support for the new version quickly. In fact, much of the time-intensive research required had already been completed for similar jobs seen in our European offices. This allowed Ontrack developers to quickly and efficiently modify tools to the level required to be able to support this restore scenario. Rather than building out a fully-fledged tool, Ontrack engineers were able to use the improved version of the tools to complete searches for required structures to allow them to manually rebuild internal components critical to the recovery of data from within the file.

The Resolution

Once repairs to the files had been completed, engineers were able to use their remaining Veeam tool set to complete an extraction of data from within the repaired files. The recoverable data consisted of many flat file data types that had been completely lost to the customer during the ransomware attack.

Ransomware attacks server – backup tapes erased

The Client

The Situation

A ransomware attack of a company server encrypted the Microsoft Dynamics 365 data and demanded payment. Recent backups of the server were stored on multiple LTO-6 backup tapes, which had been erased by the malware. 

The Solution

After assessing the extent of the ransomware attack, Ontrack representatives identified the company’s backup tapes as the best option for data recovery—even though the malware had erased them. 23 LTO-6 backup tapes from the backup library were sent to the Ontrack office in Böblingen, Germany. Working in conjunction with the R&D department in the United Kingdom, Ontrack developed a custom solution to recover the data from the erased backup tapes.

The Resolution

Ontrack was able to restore 46TB of data from 18 of the LTO-6 tapes. Due to the type of attack on the tapes, Ontrack had to repair the logical damage, shipping the data and tapes separately back to the customer.

Accidental Deletion of Virtual Machines Results in 15TB Lost.

The Client

The Situation

An accidental deletion at a large wireless provider causes a massive loss of email databases.

The wireless carrier stored all of their Microsoft® Exchange databases spread across 24 separate 2TB LUNs on an EMC® VNX 5400 using VMware® virtual machines. It was also set up so each database had a mirror copy on a different LUN. All of the virtual machines were accidentally deleted resulting in the loss of email for the entire company.

The Solution

The client originally contacted VMware for support.

When VMware’s support team realized the extent of the data loss, they immediately contacted Ontrack for assistance. An Ontrack® Data Recovery™ Engineer assessed the situation and determined that a remote data recovery would be the fastest and most cost-effective option for the customer. The engineer fully explained the process and the client agreed and connected the LUNs to Ontrack’s proprietary Remote Data Recovery system for 24 hour emergency service. Ontrack assembled a team of three data recovery engineers and two developers in order to provide the fastest possible recovery.

The Resolution

The Ontrack developers quickly created the tools needed to improve the success of the recovery. After only a few hours, the first virtual machine was rebuilt allowing for the extraction of the Exchange databases to be returned to the customer. The team continued to rebuild all of the critical virtual machines until the client’s email was back in production. At the end of the project, a total of 15TB of data was recovered with minimal downtime for the client.

New tools made recovery from highly specialized EMC® Isilon® big data storage possible.

The Client

The Situation

The pharmaceutical company lost almost 4 million files of highly critical research and development data when moving files within the Isilon storage system.

The “lost files” were mostly raw data gathered from chemical analysis in ongoing laboratory research work. The firm, together with EMC support, was able to recover 90 percent of the data using a standard rebuild process. To recover the desperately needed remaining files, Ontrack was contacted by the customer for help. Ontrack worked with the EMC support in order to get detailed information on the situation.

The Isilon IQ 6000x, designed for big data, consisted of four nodes with 15 terabytes of data storage in total with 500 gigabyte hard drives installed.

It was set up as a single volume where all of the data was striped across the disks. Unlike a traditional RAID system, Isilon systems are built on the concept of a huge data lake where all data is stored and managed inside one data pool. To manage the system and this “data lake” a unique file system was created by Isilon called OneFS. In this case one of the four nodes inside the system experienced a kernel panic and several disks showed multiple errors. EMC was able to gather most of the files with a rebuild before a consistency check showed that several disks had errors. To recover the missing data, the file system had to be analyzed by the Ontrack team to find out how the data was laid out in the whole storage system.

The Solution

To find out how the data originally was distributed over the disks and determine the data mapping, Ontrack s own R&D department developed a brand new set of tools unique to the OneFS.

With these tools, an existing OneFS volume can be analyzed in depth and missing or faulty data file structures inside the “big” data lake can be discovered even more quickly. With the now gathered information on how the data structure of the Isilon system was setup, the engineers were finally able to rebuild and recover the missing data.

The Resolution

In the end, Ontrack engineers were able to recover almost all of the missing files with only a couple of bad files due to damaged encryption.

The client was delighted that Ontrack handled such a complex recovery so quickly. None of the confidential data was compromised and the solution provided by Ontrack was cost-effective and completed within a very short timeframe. With the newly developed tools for this case, Ontrack is currently the only data recovery service provider with the ability to recover data from Isilon storage systems.

Ontrack is assisted by NetApp’s technology to solve a ransomware infection.

The Client

The Situation

A single user’s laptop at a large pharmaceutical company was infected with CryptoLocker ransomware.

This malware encrypts the user’s files and withholds the encryption key until you pay the ransom amount. The laptop was connected to the corporate network which allowed the malware to infect a CIFS volume which was set up as a file share on a NetApp FAS. The malware was able to infiltrate the file share and encrypt the majority of the files. The IT team was not notified of the infection until after the backup retention period had expired, meaning that the backup contained only encrypted data. The total impact resulted in inaccessible data on:

■ 46 drives

■ 1 aggregate

■ 1 volume infected on a RAID-DP

To perform the recovery, the aggregate needed to be taken offline, which affected 17 volumes in total.

The Solution

The customer brought their 46 drives into our New Jersey lab for evaluation and Ontrack engineers got to work on a solution.

The engineering team from Ontrack:

■ Virtually rebuilt the RAID groups which were strewn across 10 different shelves

■ Virtually rebuilt the aggregate

■ Virtually rebuilt the critical volume

An additional challenge on this recovery was that the aggregate was in use for two weeks after the incident occurred which resulted in some data being overwritten.

The Resolution

Ontrack was able to virtually rebuild the volume containing the CIFS share and encrypted data.

Leveraging NetApp’s proprietary OS (OnTap) and file system (WAFL), Ontrack engineers used multiple consistency points to “walk back” in time to find and merge unencrypted copies of the critical data to return to the customer. This type of recovery is only possible on storage like NetApp’s FAS because of the way the data is stored on the volume.

Hospital databases rescued from ransomware.

The Client

The Situation

A ransomware attack with the ‘Locky’ virus had severe effects for a large German hospital.

Many servers at the hospital were paralyzed by the virus, limiting operations. Uninfected servers became affected during the panic when their power supplies were disconnected while they were still in operation. In highly complex virtualized storage systems, an improper power shutdown can result in unexpected issues. This was the case for a Dell EqualLogic PS6500ES storage array with a total of 148 professional grade 100-gigabyte hard drives. After the hospital’s IT staff and Dell’s technical support were unable to solve the problem, the specialists at Ontrack were called in to help. All of the drives were delivered to the data recovery laboratory in Germany where they were assessed.

The Dell EqualLogic PS6500ES system typically contains multiple hard drives arranged on 16 or 48 hard drive shelves and are connected together to form RAID 5 or RAID 50 systems (sub-arrays). These sub-arrays in turn are connected to ’members,’ with one or more members belonging to a logical unit (a group). LUNs are created and stored in the group, then fragmented and distributed over all members and sub-arrays. They are ‘tracked’ by a map, which in turn distributes itself to the members or to the various subarrays when it gets proportionally large. In this case our specialists discovered of those seven shelves with 148 hard drives, three shelves with 80 hard drives contained the LUN with the Oracle databases needed. However, many of the links (mappings) of the data fragments (which were distributed over all hard disks) were either corrupted or no longer available, so arranging the fragments proved to be a very difficult task. The mapping of an EqualLogic PS system is also encoded in a specific logic, so the links here aren’t easy to locate either.

The Solution

To map the links, specialist engineers from other Ontrack offices developed new software tools to specifically solve the logic and corruption problems regarding the RAID and the LUN mapping.

With the help of the new tools, the engineers were able to recreate the RAID 5 and RAID 50 systems as well as display the LUN. Within this LUN a virtual hard disk (a VMDK file) was located, in which an NTFS file system with two Oracle databases were hidden. Two file layers had to be identified and recovered within the LUN before these databases could be finally exported.

The Resolution

The team of data recovery engineers from several Ontrack offices were finally able to successfully extract and recover the required databases and send the data by courier to the client.

The hospital was very pleased with the mediation support from Dell to Ontrack and the fact that they finally had all their important data available again. In addition, the tools developed for this project can be used again in upcoming data recovery cases of Dell EqualLogic PS Array systems, significantly reducing future data recovery times.

Ontrack Provides Database and Backup Restores After a Flood.

The Client

The Situation

Dell Equallogic™, Storage Area Network, VMware ESX base and RAID 10 backup server.

A flash flood in Baden-Wurttemberg, Germany in Spring 2016 permeated the walls of a server room in a hobby and art supplies store, severely affecting the IT system.

Vast amounts of water flooded into the server room affecting two Dell devices: an EqualLogic SAN with 96 hard drives and a RAID 10 backup server with 12 hard drives.

The storage capacity of the SAN hard drives was between 300 and 700 gigabytes and the backup server contained 24 terabytes of data. About 30 terabytes of data were lost when the SAN volume and the iSCSI connections for the SAN in a VMware ESX Server were damaged. Due to the importance of the data and that most of it contained critical customer information, an emergency recovery was arranged with Ontrack. Several SAN virtualized LUNs running in a VMware environment were prioritized as critical information, with one of them storing a particularly important Oracle database that needed to be recovered as soon as possible. The client also needed to recover two additional LUNs with important data, as well as all the data on the backup server.

The Solution

After working with the client to assess the data loss and prioritize the data that needed recovering, it was determined that the hard drives in both systems needed to be processed simultaneously. All the hard drives were picked up by Ontrack and delivered to the data recovery lab in Boblingen, Germany.

Upon arrival, the hard drives were initially processed in a cleanroom environment to safely remove dirt and inspect the full extent of the damage. The data on each hard drive and its server location were also documented at this time.

Fortunately, the drives in the SAN had no mechanical problems and could be read properly. However, some of the drives from the backup server were faulty and these had to be processed further in the cleanroom in order to extract copies of the data.

The SAN data recovery was very complex, as the water damage interrupted the connection to the VMware ESX Server and the power supply while in operation. This meant that the mapping links to the EqualLogic SAN and the LUNs in the VMFS datastores (as well as the Oracle database and other files) were heavily corrupted.

To perform the recovery, Ontrack’s proprietary data recovery software tools were required to reconstruct the system and the file structures in order to get to the actual files. However, reassembling the Dell backup server was relatively easy since it hardly experienced any data corruption.

The Resolution

The engineers from Ontrack’s Boblingen data recovery lab succeeded in reconstructing the main points of both affected devices so that the data could be accessed again, including the critical Oracle database and the full backup.

Overall, the customer was very satisfied with the work of the recovery experts from Ontrack. The recovery efforts were also mediated by the Dell Support Team so the data could be restored into a new storage system, as the information required was urgent and needed as soon as the recovery was complete.

Missing Dell® EqualLogic™ LUNs Recovered via Remote Data Recovery.

The Client

The Situation

A large municipal event center in the US lost data on a Dell® EqualLogic™ iSCSI SAN configured with in a RAID 50 running VMware® ESXi™ 5.5.

VMware snapshots filled up the datastore causing the system to crash. The customer attempted to delete one of the snapshots, but after four hours of processing without success, they had to give up. Working with VMware support, they were able to get the VMware ESXi 5.5 host to boot, but were missing critical data from six of the iSCSI LUNs. This system was unique because it was using the EqualLogic LUNs as raw device mappings (RDMs) attached to the guest instead of the traditional virtual disks (VMDKs) on VMFS datastores.

The Solution

The event center called Ontrack at noon on a Saturday for emergency service.

Highly-trained data recovery engineers connected remotely to the EqualLogic LUNs using their proprietary remote data recovery (RDR) solution and started assessing the damage. During the evaluation, the engineers were able to locate the snapshots containing the missing data and virtually apply them to RDMs. Once the snapshots had been applied, the Ontrack engineering team was able to access the underlying NTFS volume, virtually repair the NTFS corruption, and extract the data.

The Resolution

Within 12 hours Ontrack was able to reunite the customer with the lost data which totaled over 250,000 files (-250GB of data).

“I was most impressed with the customer service I received from Ontrack throughout the data recovery process, the speed at which all the data was restored and the fact that during the entire restore process we were able to have our live environment up and running.”

Ontrack recovers over 230 million files from Commvault database.

The Client

The Situation

A large North American based manufacturer of building materials experienced a serious data loss due to a corrupt database file on their Commvault Media Server.

The client’s data storage solution consisted of the Commvault server as well as a Media Agent under the Commcell® management system. A Commvault Simpana® 9 was used for backup and archiving. The company lost access to media files crucial to the operation of their business.

The client attempted to open one of its virtual tape library backups only to find the MediaAgent database file, the gateway to the files on the media server, was corrupted and showed zero bytes in size.

The virtual tapes and the files stored inside the media server were still intact, but were not able to be accessed. The client contacted Commvault support and they attempted to retrieve the missing data from the media agent volume residing on the deployed Dell® MD1200 storage using the Commvault Media Explorer Tool. Their efforts proved to be unsuccessful. More than 3500 virtual tapes and 25 tape-sets were lost resulting in over 230 million inaccessible files. Fortunately, the client was able to copy the entire volume from the Dell server to external disks by using the Commvault Simpana 9 and sent them to Ontrack to recover the data. Unfortunately, the metadata containing the shortcuts leading from the database towards the files was not transferred with the media agent volume; therefore the files still could not be reached. Intensive investigation was necessary in order to discover the data mapping.

The Solution

Ontrack engineers were able to rebuild the original structure of the virtual array with the information contained on the external hard disks.

To reconstruct the data mapping used by the Commvault system, Ontracks internal software development team researched how Commvault distributes files, over the whole storage system and the built-in disks. After determining the custom mapping used by Commvault and decoding the virtual array, another challenge arose when the engineers discovered the virtual tape backup sets were also de-duplicated. The Ontrack software developers and data recovery engineers were able to create custom tools to

read the files from the system, rebuild the missing catalog and mapping information, and gain access to the file data. The engineers were then able to restore the files upon extraction and remove the de-duplication.

The Resolution

In the end, Ontrack engineers were able to recover the missing tape libraries as well as tape-sets with the 230+ million files included in just a couple of weeks.

The client was amazed at the success and speed of the recovery. With the insights gained into the Commvault system and the newly developed tools, the data recovery specialists at Ontrack are able to retrieve data even faster from all Commvault-based systems.

Accidental wipe command brings down critical production database server.

The Client

The Situation

A Korean based managed service provider attempted to make configuration changes to their client’s NetApp system when an engineer incorrectly started a ‘dd’ command on some LUNs, effectively wiping the data that was part of the of end user’s production Sybase server

Without access to the data, the managed service provider potentially faced loss of contract from their client, as well as potential liability costs.

The client had a NetApp FAS8060 system containing 161 x 900GB SAS HDDs, arranged into two separate aggregates (68 drives + 93 drives). The customer was presenting 3 x 468GB FC LUNs from each aggregate out to a Sybase server. The 6 total LUNs were combined into a single Disk Pool, with three logical volumes carved out of the Pool. An incorrect ‘dd’ command had written zeroes to approximately 45GB of one of the logical volumes, and this volume was no longer visible to the Sybase server.

The Solution

During the original consultation, our engineer instructed the customer to bring the aggregates offline to avoid any further overwrite damage. The aggregates were brought offline with 12 hours from when the original data loss event occurred. The client presented all 161 HDDs from both aggregates to a single Windows machine and connected this to Ontrack’s RDR (Remote Data Recovery) server. Initial inspection showed that both aggregates were named “aggrO,” which eliminated our engineer’s ability to automatically rebuild the aggregate. The drives were sorted into aggregate groups and the aggregates were manually rebuilt. Our engineers were then able to rebuild the aggregates to a point in time as close as possible, but prior to the ‘dd’ damage occurring, with the separate aggregates rebuilt to a point in time within two minutes of each other.

The Resolution

Our engineer was unable to extract or examine the internal data because the logical volumes were used as RAW storage by the Sybase server. All six LUNs were then extracted as flat files to external storage. NetApp support was able to assist to present these LUNs back to the Sybase server. The recovered logical volumes passed integrity checks on the Sybase server and the client confirmed that everything was working properly. The end user’s database server was able to be brought back online within a few days of the failure with no loss of data.

Four terabytes of data recovered from flood damaged HP EVA SAN

The Client

The Situation

A flooded data center left a client’s servers and storage systems partially submerged in water.

At the center of the damage was a HP Storage Works EVA (Enterprise Virtual Array) 6000 containing business critical SQL database files as well as employee file shares. The EVA sustained substantial physical damage due to the flood water preventing access to the data. The severity of the damage from the flood was increased when an attempt was made to access the data by powering on the drives that were still wet. The customer contacted HP Support for help and they handed the project over to Ontrack.

The SAN consisted of 80 hard disk drives which were divided into 2 EVA disk groups; in total there were 18 virtual RAID volumes consisting of both VRAID1 and VRAID5.

A HP EVA system is fully virtualized and has a unique way to write data which adds to the complexity of any data recovery effort. It works with disk groups and virtual disks instead of normal RAID sets and logical drive volumes. The disk groups consist of physical drives organized in a proprietary manner. LUNs or Virtual disks (vDisks) in an EVA are then distributed over all of the installed HDDs.

The Solution

Due to the physical damage, all of the drives were sent to one of Ontrack´s cleanroom facilities to be assessed.

Once the 80 drives were decontaminated and cleaned, 55 were found to be fully recoverable. 25 of the drives had severe water damage and were not recoverable. To regain access to the data on the damaged drives, the engineers needed to research how the EVA RAID and file system was structured. After the engineers were able to map the disk groups and determine how the vDisks were distributed, they had to rebuild the whole EVA system. To recover the data included in the vDisks, the R&D team and its software developers had to create completely new tools to extract the data. Once the development was complete, Ontrack engineers virtually assembled the disk groups and virtually rebuilt the vDisks which allowed access to the underlying file systems. The file systems were virtually repaired and the data extracted.

The Resolution

After extensive development, reengineering and recovery work the project successfully ended.

With the newly created tools the data recovery specialists were able to recover four terabytes of sensitive data including the critical SQL database files. In all, approximately 86 percent of the total data lost was recovered. With the HP EVA SAN data mapping knowledge gained and the integration of the newly developed tools, Ontrack is able to quickly recover data from all models of the HP Enterprise EVA storage systems.