In late 2022, an elite college in Massachusetts fell victim to a ransomware attack that encrypted the entire system, including Virtual Machines (VMs) stored on multiple VMware ESXi hosts.
The hackers accessed the management interface of Quantum SuperLoader 3, emptied the tape backups, and erased data stored on 32 tape catalogs. They also reset two QNAP NAS devices used as secondary backup storage. As a result, the institution’s entire data system was compromised and rendered inaccessible.
Start of Ransomware Data Recovery Process
The college brought all the affected devices to our data recovery lab for evaluation. Our primary focus was to recover the data with the original structure, including folder and file names and dates. These drives made up a RAID 6 volume, which held the 42TB raw space used by the institution’s file server.
The challenge increased when we learned that the client’s IT department had implemented Microsoft Deduplication technology on an iSCSI volume managed by Synology devices.
This meant there were multiple layers of technology to navigate to effectively use the space and achieve high transfer speeds. Despite these complexities, the drives did not have any major mechanical or physical issues.
We began the data recovery process by imaging the RAID 6 volume to ensure a secure backup of the original data. This allowed us to work on the image without affecting the original drives.
Technical Details of RAID 6 Data Recovery Case
RAID 6 is a striped set with dual-distributed parity. While it provides high fault tolerance and data protection, the recovery process can be complex because data must be reconstructed from multiple drives.
RAID 6 Volume Reconstruction
RAID 6 is a level of RAID that provides data protection through dual parity, allowing for the failure of up to two drives without any data loss. To recover the data, our team first reconstructed the RAID 6 volume by analyzing the parity data and reassembling the original RAID configuration.
Data Deduplication
The client’s use of Microsoft Deduplication technology added an extra layer of complexity to the recovery process.
Deduplication is a process that eliminates redundant data, reducing storage space requirements. We had to reverse-engineer the deduplication process to restore the original, non-deduplicated data.
iSCSI Volume Recovery
The iSCSI volume was managed by Synology devices, adding another layer to the recovery process. Our team used proprietary tools and techniques to access and extract data from the iSCSI volume.
File System Analysis
The file system used by the institution was also analyzed to identify and restore the original folder structure, file names, and dates.
Results of the Recovery
The data recovery process was successful, and we were able to recover all the data from the affected drives. The RAID 6 volume was reconstructed, deduplication was reversed, and the iSCSI volume was recovered.
Data Recovery Process
Cloning the Drives. To ensure that we did not damage the source 8TB helium drives, we began the data recovery process by creating complete clones of all the drives. This approach allowed us to work on the cloned images, preserving the original drives in case additional attempts were needed.
Nitrogen-Based Cooling System
The cloning process involved high-speed hard drive cloners compliant with digital forensics standards, so it was essential to prevent the drives from overheating.
We employed a nitrogen-based cooling system to maintain optimal temperatures for the hard drives during the cloning process. This system ensured that the drives remained cool and stable while the high-speed cloners created the images.
Building the RAID 6 Volume
After cloning the drives, our team focused on building the RAID 6 volume. RAID 6 is a level of RAID that provides data protection through dual parity, allowing for the failure of up to two drives without any data loss. We carefully analyzed the parity data and RAID configuration to successfully reconstruct the RAID 6 volume.
Sector Map of iSCSI Volumes
Once the RAID 6 volume was reconstructed, we began the process of locating the sector map of the iSCSI volumes. The iSCSI volumes were split into 1TB chunks as JBOD (Just a Bunch of Disks). We identified the individual chunks and combined them sequentially, granting us access to the NTFS volume with Data Deduplication.
Data Extraction and Integrity Checks
Recovering data from the NTFS volume with Data Deduplication was time-consuming due to the mathematical checksum calculations required for each file. These calculations ensured the integrity of the data during the extraction process. Our team meticulously worked through the volume, verifying the integrity of each file as it was saved.
Results of the Recovery
Once the client approved the project, our team worked tirelessly for three business days, with engineers working in shifts around the clock. We successfully reconstructed the RAID 8 volume, reversed the deduplication process, accessed the iSCSI volume, and analyzed the file system to recover the data with its original structure intact.
To ensure the integrity of the recovered data, we arranged remote verification for the client to check the recovered files and folders. The client was highly satisfied with the results, as we managed to recover their data with the original structure, folder, file names, and dates.
The data loss, in this case, was due to security weaknesses and the absence of Deep Packet Inspection (DPI) on the network.
Our team’s expertise and dedication enabled us to recover the data from this challenging ransomware attack successfully. This case study highlights the importance of advanced data recovery techniques and the value of reliable data recovery services for educational institutions that rely heavily on digital data.
Additionally, it underscores the need for continuous investment in cybersecurity infrastructure to prevent such incidents in the future. Educational institutions should implement strong security measures, such as regular backups, vulnerability assessments, and employee training on cybersecurity best practices. By taking a proactive approach to cybersecurity, organizations can minimize the risk of ransomware attacks and the potential loss of valuable data.
Frequently Asked Questions
What is a ransomware attack?
Ransomware attacks employ malicious software to block access to data and demand payment for its restoration. These attacks begin through phishing emails, malicious websites, or exploiting system vulnerabilities and aim to extort money from victims by threatening to delete or publish their data.
How does a ransomware attack affect data?
Ransomware attacks can block access to data, causing information loss, business disruption, and financial losses. Attackers may also steal sensitive data and cause reputational damage.
Is it possible to recover data from a ransomware attack?
Ransomware attacks can be mitigated by having backups. Recovery of encrypted data is possible with decryption keys, but paying the ransom is not a guarantee. Professional services may help retrieve data.
Can all types of data be recovered after a ransomware attack?
Ransomware attacks can be devastating, and data may not always be recoverable. To reduce the effects of a possible attack, it is recommended that important data be backed up regularly.
How can organizations protect themselves from ransomware attacks?
To protect against ransomware attacks, organizations should back up data regularly, update security software, train employees on cybersecurity, assess system vulnerabilities, have a response plan, and invest in robust cybersecurity infrastructure.