We have found instances where data recovery is possible, even in the most recent ransomware threats.
Experts predict there will be a ransomware attack every 11 seconds in 2021.
According to industry predictions, almost six ransomware attacks will occur every minute in 2021.
Cyber crimes including Ransomware attacks are usually not autonomous. The criminals will access your network and evaluate your storage. Primary storage will be defined, high traffic and lowest traffic volumes will be calculated, and backup storage will be located and mapped.
Now the field has been mapped and like any well-planned attack they will start when the network is the most vulnerable. The low network traffic periods are the most likely for the Ransomware encryption software to start. After the high target data has been encrypted and deleted a hacker will delete network backups, delete RAID configurations, generally try to destroy anything that would take excessive time to encrypt.
This is where we find their mistakes. Ransomware data recovery methods.
- Data deleted from Network Attached Storage (NAS) can be recovered. If the (NAS) is using proprietary archival compression for back-up sets, data recovery maybe much more difficult. Data deleted from Storage Area Network (SAN) can be recovered. Deletion from most storage except for Solid Sate Drives (SSD) is potentially recoverable. (Some RAID storage environments will disable the trim function on SSD – making recovery from deletion possible.)
- Large Storage Area Networks (SAN) with deleted data or deleted RAID 5, RAID 6, or beyond RAID configurations can be recovered. Virtually and RAID storage configuration that has been deleted can be recovered.
- Other situational recovery would include an attack point from a virtual drive that hosted the ransomware while it was running and was not fully encrypted.
Most of the Ransomware recovery scenarios we see are unique. In almost all the ransomware attacks where large amounts of data are involved, we were able to recover all or some user data due to the methods of attack mentioned above. In some cases where one file is of great importance, we may be able to piece a file together using various versions of the file from multiple storage spaces.
Recently, we recovered over 12 RAID servers including: multiple 16 drive RAID 5 storage arrays, RAID 50 storage severs, and 30 drive SANs to retrieve multiple SQL databases. One database that was 1.5 TB in size was pieced together from multiple back-up dates and devices.
Your case in unique and we may be able to help recover your data without paying the ransom.
Our advice is to not pay the ransom. There is no guarantee that you will get the decryption tool. If you do get the decryption tool some files may not fully decrypt.
What you should do is take every storage space offline and shut down. Do not run malware or antivirus software. The encrypted files often have keys attached to them and registry entries. If your last course of action is to pay the ransom, you will need these keys and registry info intact.
If you are going to reinstall deleted storage devices, it may pay to make an image or clone the server prior to writing data to the device. Another option would be to replace infected drives with new drives.