.MDF file encrypted by ransomware
1️⃣ What is an .MDF file?
An .MDF file (Microsoft SQL Server Master Data File) is the primary file of an SQL Server database. It contains:- User data (tables, views, stored procedures)
- Structure and indexing
- Essential information for rebuilding the database
2️⃣ Symptoms of an .MDF file encrypted by ransomware
When ransomware targets .MDF files, several signs appear:- File encryption
- Modified extension: .MDF.locked, .MDF.anubis, or others depending on the ransomware
- Impossible to open the file in SQL Server
- Ransom note
- A text or HTML file left by the ransomware in the folder: payment instructions
- Often the same filename for all encrypted files
- Database inaccessible
- SQL Server returns errors such as: “Cannot open database … The physical file may be missing or corrupt”
- Transactions can no longer be recorded
- Secondary symptoms
- SQL Server instability or extreme slowness
- Transaction logs (.LDF) not synchronized
3️⃣ Impact on data recovery
Recovering an encrypted .MDF file depends on several factors:- Type of ransomware
- Traditional ransomware (LockBit, BlackCat) encrypts the file without deleting it → recovery possible if a decryption key or backup exists.
- Destructive ransomware (Anubis, Thanos) may overwrite or delete content → recovery nearly impossible.
- Availability of backup files
- Unencrypted and offline backup: fast recovery.
- Network backup: high risk that the ransomware also encrypted the copies.
- Condition of the file
- Fully encrypted file: requires restoration from backup.
- Partially corrupted file: specialized tools can attempt extracting intact data.
- SQL format complexity
- MDF contains complex internal structures (pages, indexes, tables).
- Recovery tools must rebuild these pages for the database to be functional.
- Without backup: recovery is nearly impossible, even with decryption tools.
- With isolated backup: fast recovery, full restoration possible.
4️⃣ Time required to recover the data
Recovery time depends on:| Situation | Estimated time |
| Isolated backup available (Veeam, Hyper-V, offline NAS) | A few hours to 1 day |
| MDF file encrypted with known key (official decryption tool) | 1 to 3 hours for a standard server |
| Partially corrupted MDF / destructive ransomware | Several days to weeks depending on size and complexity |
| MDF file only, no backup and no logs | Likely irreversible |
- Database size (20 GB vs. 2 TB MDF)
- Number of related MDF files (multiple databases)
- Transactional complexity (databases with thousands of transactions per second)
5️⃣ Best practices after .MDF file encryption
- Immediate isolation
- Disconnect the SQL server from the network to prevent spread.
- Do not attempt direct restoration
- Avoid restarting SQL Server or restoring over an encrypted file → risk of overwriting intact pages.
- Identify the ransomware variant
- Helps determine whether a decryption tool exists.
- Caution: some ransomware displays an extension, but actual encryption may be more complex.
- Prioritize offline backups
- Check Veeam, Hyper-V, NAS, or LTO tape backups.
- Assess integrity before restoring.
- Consult a post-ransomware recovery expert
- For corrupted MDF files, page-by-page reconstruction may be required.
- Use of specialized tools (ScanX, Stellar Repair for MS SQL, ApexSQL Recover, etc.).
6️⃣ Conclusion
An .MDF file encrypted by ransomware is a critical emergency:- Symptoms: inaccessible database, modified extensions, SQL Server errors
- Impact: depends on the availability of isolated backups and on the ransomware type
- Recovery time: from a few hours to several weeks depending on the situation
- Maximum risk: permanent data loss if the file is destroyed or if no reliable backup exists
La récupération d’un fichier MDF chiffré par ransomware est fortement dépendante de l’existence de sauvegardes isolées. La rapidité d’intervention et la bonne identification du ransomware influencent directement le succès de la restauration.