Recovery of MS SQL Server databases in dynamic VHDX virtual machines encrypted by ransomware
We support all types of databases, across all your professional storage media, 24/7.
Repair of .MDF, .NDF and .LDF files, as well as encrypted instances, corrupted tables, and indexes. Expertise across all versions (SQL Server 2012 to 2022)
Customized solutions tailored to your company’s specific challenges.
Secure transfers Independent French laboratory for over 20 years.
Intervention Context
A Danish SME specialized in supplying technical equipment for pharmacists contacted Recoveo after its data was encrypted by ransomware. Due to the operational emergency, the company’s CEO personally came to our facilities to hand over the affected storage media.
Technical Elements Received
- VM DK: encrypted virtual machine containing the critical databases
- VM NL: encrypted virtual machine accompanied by an 8-month-old backup
- Processing of VM NL: our teams successfully reconstructed the data to its current state in less than 24 hours.
The 16 MB file was successfully recovered and delivered the same day. The 15 GB file required an advanced investigation and recovery procedure.
Technical difficulties encountered
Failure of Standard Recovery Tools
Our teams tested four software solutions that are typically effective in standard recovery scenarios. However, the extracted files proved to be corrupted and unusable.Specificity of Dynamic Virtual Machines
The dynamic VHDX format relies on an allocation table that references the location of each data block within the file. In this specific case, the ransomware destroyed less than 0.5% of the beginning of the virtual machine — an area that precisely contains this table. Although the damaged portion was minimal in size, it made any recovery using conventional methods technically impossible.
This type of damage affecting a dynamic VHDX remains poorly documented in specialized literature, which made the diagnostic phase particularly challenging.
Advanced Recovery Procedure
Activation of the R&D Unit
Following the failure of standard approaches, Recoveo’s Research & Development unit was mobilized. Three engineers worked simultaneously on the case with the objective of adapting our proprietary tools to this unprecedented scenario.Intermediate Result
After 72 hours of research, one of the engineers identified a method for partially reconstructing the internal structures of the database, making it possible to recover 90% of the tables.Delivery and Validation
Three iterative versions of the reconstructed file were produced in order to maximize recovery coverage. A testing platform was set up for validation purposes. In less than one hour, the client confirmed that the main database table had been recovered 100% from the first delivered version, enabling immediate business resumption.Following the failure of standard approaches, Recoveo’s Research & Development unit was mobilized. Three engineers worked simultaneously on the case with the objective of adapting our proprietary tools to this unprecedented scenario.
After 72 hours of research, one of the engineers identified a method for partially reconstructing the internal structures of the database, making it possible to recover 90% of the tables.
Three iterative versions of the reconstructed file were produced in order to maximize recovery coverage. A testing platform was set up for validation purposes. In less than one hour, the client confirmed that the main database table had been recovered 100% from the first delivered version, enabling immediate business resumption.
Key Takeaways
| Item | Result |
|---|---|
| NL VM — 8 GB MDF file | Recovered in < 24 hours |
| DK VM — 16 MB MDF file | Recovered the same day |
| DK VM — 15 GB MDF file | Main table recovered 100% |
| Total R&D duration | 72 hours |
Teachings
This case highlights a growing issue: ransomware attacks are now targeting precise and strategic areas of virtual file systems, rendering generic recovery tools ineffective. The ability to adapt custom-built tools to undocumented scenarios has become a critical technical differentiator.
This type of intervention involving Recoveo’s R&D unit represents approximately 4 to 5 cases per year.