Ransomware Recoveries on Tape – Server and NAS Systems

Challenge

This customer suffered a cyberattack wherein the attacked volume was originally used to back up data to LTO8 tapes at regular intervals. Most of these backup tapes were in the tape library at the time of the incident and were quickly formatted by the attackers. However, the customer saved an original unformatted tape with a relatively old backup date, which was then completely restored to the now empty Windows volume with a total of 6 TB. Only then did the customer commission Ontrack to examine the data recovery options.

Additionally, the attack affected numerous European suboffices of the customer where there were predominantly QNAP NAS systems in use.

Solution

The HP server DL380 with the 55 3TB hard disks and LTO8 tapes were transported to Ontrack in Böblingen, Germany. During the diagnosis, a large number of the searched files were successfully found on the Windows volume using Ontrack’s proprietary tools and 27 records were extracted according to a priority list.

The restoration of the LTO8 tape partially overwrote some of the data sets and damaged the backup files. However, a large part of the data could still be repaired and extracted in several steps. At a later time, 19 significantly older LTO8 quick formatted tape backups were successfully recovered from the ransomware attack as well.

The QNAP NAS systems had stored virtual VMs under VMware, including backup VMs that were partially deleted or internally reformatted with another file system.