Data Recovery from Malware-Infected Virtual Files

Feb 24, 2023

The Client

International airport


The customer suffered a cyberattack that left 100 servers partially encrypted. The ransom demanded by the hacker was over 400,000€. Federal police were unable to identify the ransomware type but determined that it had been designed specifically to target the organisation. 

The customer had a SAN with 50 drives. After forensic analysis, it was found that all data inside the LUNs had either been deleted or overwritten. The attack affected six LUNs, each 25TB in size, with different file systems: four ReFS and two NTFS.


Ontrack’s engineers managed to repair the logical damage, allowing the recovery of every file in the four ReFS systems. The Ontrack team then created a custom tool that allowed them to piece together the NTFS file system and duplicate the database, so that the data from a backup could be extracted and delivered to the customer.


Ontrack engineers were able to overcome the odds and recover the client’s critical data, avoiding a large ransom payment.