Recovering data from ransomware attacks

Written By: Ontrack

Date Published: Nov 12, 2020 12:00:00 AM

Recovering data from ransomware attacks

When organizations are struck with ransomware, and crucial data can’t be accessed, it can be an extremely stressful time for all involved. Getting access to that critical data as quickly as possible is vital to ensure downtime is minimised and your organization can get back to normal.  

The last few years have seen ransomware attacks become more prevalent, so our team of highly skilled engineers have been working hard to ensure we have the expertise to recover data from a range of different malware.   

Even though no ransomware case is the same, there are three main types: 


A simple form of ransomware that consists of fake computer programs designed to trick a user into buying or downloading dangerous software.  

Lock screen viruses 

A virus that locks the user’s computer and displays a full-size window with a message stating that the user must pay a ransom to unlock the computer. 

Encryption ransomware               

The attacker infiltrates a computer’s data and file structure, encrypting every file and folder. 

What to do if you’ve been hit by ransomware? 

  1. Remain calm. Any rash decisions could cause further data loss. 
  2. Check your most recent set of backups.
  3. Do not pay the ransom as there is no guarantee you’ll get your data back. 
  4. Contact us for advice and to explore data recovery options. 

Below are some examples of successful ransomware data recovery cases we have completed. 

Ransomware attacks server – backup tapes erased

A ransomware attack of a company server encrypted the Microsoft Dynamics 365 data and demanded payment. Recent backups of the server were stored on multiple LTO-6 backup tapes, which had been erased by the malware. 

After assessing the extent of the ransomware attack, Ontrack representatives identified the company’s backup tapes as the best option for data recovery—even though the malware had erased them. 23 LTO-6 backup tapes from the backup library were sent to Ontrack’s office. The engineers worked in conjunction with the research and development department to develop a custom solution to recover the data from the erased backup tapes.

Ontrack was able to restore 46TB of data from 18 of the LTO-6 tapes. Due to the type of attack on the tapes, Ontrack had to repair the logical damage, shipping the data and tapes separately back to the customer.

Ontrack is assisted by NetApp’s technology to solve a ransomware infection.

A single user’s laptop at a large pharmaceutical company was infected with CryptoLocker ransomware.

 This type of malware encrypts the user’s files and withholds the encryption key until you pay the ransom amount. The laptop was connected to the corporate network, which allowed the malware to infect a CIFS volume that was set up as a file share on a NetApp FAS. The malware was able to infiltrate the file share and encrypt most of the files. The IT team was not notified of the infection until after the backup retention period had expired, meaning that the backup contained only encrypted data. The total impact resulted in inaccessible data on: 

■ 46 drives

■ One aggregate

■ One volume infected on a RAID-DP

To perform the recovery, the aggregate needed to be taken offline, which affected 17 volumes in total. The customer brought their 46 drives into our lab for evaluation, and Ontrack engineers got to work on a solution.

 The engineering team from Ontrack:

■ Virtually rebuilt the RAID groups which were strewn across ten different shelves.

■ Virtually rebuilt the aggregate.

■ Virtually rebuilt the critical volume.

An additional challenge on this recovery was that the aggregate was in use for two weeks after the incident occurred, which resulted in some data being overwritten.

Ontrack was able to virtually rebuild the volume containing the CIFS share and encrypted data.

Leveraging NetApp’s proprietary OS (OnTap) and file system (WAFL), Ontrack engineers used multiple consistency points to “walk back” in time to find and merge unencrypted copies of the critical data to return to the customer. This type of recovery is only possible on storage like NetApp’s FAS because of the way the data is stored on the volume.

 You can read more about how we have helped our customers recover data after a ransomware attack here. 



KLDiscovery Ontrack, LLC, 9023 Columbine Road Eden Prairie, MN 55347, United States (see all locations)