Ransomware Recovery – Virtual Agent for Windows

Written By: Ontrack

Date Published: August 14, 2022

Ransomware Recovery – Virtual Agent for Windows


The customer’s data was affected by a ransomware attack that not only targeted their server data, but also “Virtual Agent for Windows” backups located on an external HDD. Their IT/managed services provider agreement did not include regular off-site backups, so this was the only copy of the data that existed.



The customer sent the affected HDD to Ontrack, where an image of the drive was taken to preserve the original state of the customer media.

Ontrack engineers assessed the damage to the affected Virtual backup files and identified that partial recovery would be possible as the files had not been fully encrypted, meaning there was a chance that some data could be recovered from within the files. However, it was determined that the version of the virtual backup files used was newer than Ontrack could support with current tools and required development assistance.

With a global engineering presence, as well as internal development teams that maintain and improve our proprietary tools, Ontrack was able to research, develop, and implement support for the new version quickly. In fact, much of the time-intensive research required had already been completed for similar jobs seen in our European offices. This allowed Ontrack developers to quickly and efficiently modify tools to the level required to be able to support this restoration scenario. Rather than building out a fully-fledged tool, Ontrack engineers were able to use the improved version of their tools to complete searches for required structures, allowing them to manually rebuild internal components critical to the recovery of data from within the file.


Once repairs to the files had been completed, engineers were able to use their remaining tool set to complete an extraction of data from within the repaired files. The recoverable data consisted of many flat file data types that had been completely lost to the customer during the ransomware attack.


9023 Columbine Road Eden Prairie, MN 55347, United States (see all locations)