Recently we had an architectural company come into our lab with an 8TB external hard drive that had used to store their operating system, data, and exchange Windows backups. The criminals had deleted and performed a quick format of the device after encrypting all their primary storage data. Unfortunately, no one thought to detach the external drive or turn off the scheduled backups. So, a new backup of the system volume was written to the drive prior to us receiving the device for data recovery.
The new backup on the newly formatted drive overwrote important data that would have remained on-disk that would have provided very important information to help us recover their data. Now we were dealing with a large amount of new data on-disk, in addition to the previous data stores that had been deleted and formatted. In the end we were able to retrieve a large amount of data for our client. The procedure required us to examine the drive thoroughly using a HEX Editor. We were able to identify start sectors of each back up iteration then look at the corresponding boot sector to examine the total sectors. After finding the correct size in the boot sector for the backup we were looking for we had to ensure all header information for each VHDX was intact to identify the regions for the virtual disk. Five iterations at 128 sectors after the start of the VHDX is header information and region information that will point to essential element of the data store. These elements need to be intact.
While it is important to not overreact and potentially destroy data it is equally important to take stock of what is still live and take steps to preserve data by shutting off backups and other shares that may corrupt data that maybe recoverable. Take stock of your network environment, your backup storage, stop the bleeding by shutting down all infection points then – check out your backup storage. In many cases your backup devices may not be encrypted but sabotaged. This is where we can help you recover your data. Not all ransomware attacks are executed well. Contact us if you have backups that have been deleted, formatted, RAID configurations deleted.
See also https://dtidatarecovery.com/ransomware-recovery-data-recovery-methods/