In late 2022, an elite college in Massachusetts fell victim to a ransomware attack that encrypted the entire system, including Virtual Machines (VMs) stored on multiple VMware ESXi hosts.
The hackers accessed the management interface of Quantum SuperLoader 3, emptied the tape backups, and erased data stored on 32 tape catalogs. They also reset two QNAP NAS devices used as secondary backup storage. As a result, the institution’s entire data system was compromised and rendered inaccessible.
Start of Ransomware Data Recovery Process
The college brought all the affected devices to our data recovery lab for evaluation. Our primary focus was to recover the data with the original structure, including folder and file names and dates.
These drives made up a RAID 6 volume, which held the 42TB raw space used by the institution’s file server.
The challenge increased when we learned that the client’s IT department had implemented Microsoft Deduplication technology on an iSCSI volume managed by Synology devices. This meant there were multiple layers of technology to navigate to effectively use the space and achieve high transfer speeds. Despite these complexities, the drives did not have any major mechanical or physical issues.
Technical Details of RAID 6 Data Recovery Case
RAID 6 Volume Reconstruction. RAID 6 is a level of RAID that provides data protection through dual parity, allowing for the failure of up to two drives without any data loss. To recover the data, our team first reconstructed the RAID 6 volume by analyzing the parity data and reassembling the original RAID configuration.
Data Deduplication. The client’s use of Microsoft Deduplication technology added an extra layer of complexity to the recovery process. Deduplication is a process that eliminates redundant data, reducing storage space requirements. We had to reverse-engineer the deduplication process to restore the original, non-deduplicated data.
iSCSI Volume Recovery. The iSCSI volume was managed by Synology devices, adding another layer to the recovery process. Our team used proprietary tools and techniques to access and extract data from the iSCSI volume.
File System Analysis. The file system used by the institution was also analyzed to identify and restore the original folder structure, file names, and dates.
Data Recovery Process
Cloning the Drives. To ensure that we did not damage the source 8TB helium drives, we began the data recovery process by creating complete clones of all the drives. This approach allowed us to work on the cloned images, preserving the original drives in case additional attempts were needed.
Nitrogen-Based Cooling System. As the cloning process involved high-speed hard drive cloners compliant with digital forensics standards, it was essential to prevent the drives from overheating. We employed a nitrogen-based cooling system to maintain optimal temperatures for the hard drives during the cloning process. This system ensured that the drives remained cool and stable while the high-speed cloners worked on creating the images.
Building the RAID 6 Volume. After cloning the drives, our team focused on building the RAID 6 volume. RAID 6 is a level of RAID that provides data protection through dual parity, allowing for the failure of up to two drives without any data loss. We carefully analyzed the parity data and RAID configuration to successfully reconstruct the RAID 6 volume.
Sector Map of iSCSI Volumes. Once the RAID 6 volume was reconstructed, we began the process of locating the sector map of the iSCSI volumes. The iSCSI volumes were split into 1TB chunks as JBOD (Just a Bunch of Disks). We identified the individual chunks and combined them sequentially, granting us access to the NTFS volume with Data Deduplication.
Data Extraction and Integrity Checks. Recovering data from the NTFS volume with Data Deduplication was time-consuming due to the mathematical checksum calculations required for each file. These calculations ensured the integrity of the data during the extraction process. Our team meticulously worked through the volume, verifying the integrity of each file as it was saved.
Results of the Recovery
Once the client approved the project, our team worked tirelessly for three business days, with engineers working in shifts around the clock. We successfully reconstructed the RAID 8 volume, reversed the deduplication process, accessed the iSCSI volume, and analyzed the file system to recover the data with its original structure intact.
To ensure the integrity of the recovered data, we arranged remote verification for the client to check the recovered files and folders. The client was highly satisfied with the results, as we managed to recover their data with the original structure, folder, file names, and dates.
The data loss, in this case, was due to security weaknesses and the absence of Deep Packet Inspection (DPI) on the network. Our team’s expertise and dedication enabled us to recover the data from this challenging ransomware attack successfully. This case study highlights the importance of advanced data recovery techniques and the value of reliable data recovery services for educational institutions that rely heavily on digital data.
Additionally, it underscores the need for continuous investment in cybersecurity infrastructure to prevent such incidents in the future. Educational institutions should implement strong security measures, such as regular backups, vulnerability assessments, and employee training on cybersecurity best practices. By taking a proactive approach to cybersecurity, organizations can minimize the risk of ransomware attacks and the potential loss of valuable data.