logo SOS Ransomware
Emergency 24/7

Data recovery following a ransomware attack on a Synology NAS (Hyper Backup)

A Colombian architect recently contacted us after a particularly destructive attack on his Synology storage system.

The attackers had not only encrypted his data, as ransomware traditionally does, but had also reset his RAID drives and formatted his external backup disk.

Faced with this critical situation, where Synology support and conventional recovery tools had proved insufficient, our team had to implement specialized technical solutions.

This case study documents the complete recovery process that enabled us to restore 580 GB of business data (411,000 files in 79,417 folders) from media considered irretrievably compromised.

It analyzes the specific technical challenges encountered with the BTRFS file system and Hyper Backup’s proprietary format, while presenting the advanced methodologies that enabled this result.

We also examine the practical implications of this intervention for securing storage and backup infrastructures, in a context where computer attacks now deliberately target data protection mechanisms.

The incident: a meticulous attack

Our story began, in fact, when a Colombian architect contacted us following a particularly aggressive ransomware attack.

Unlike conventional attacks, which simply encrypt the data and demand a ransom, the cybercriminals had opted for a more radical approach: they had completely reset the RAID disks and erased the data on the external USB drive (USB COPY) used as a backup.

This placed the victim in an extremely precarious position, as even his backup solution had been targeted, demonstrating the increasing sophistication of today’s attacks, which deliberately target backup mechanisms to maximize the chances of obtaining ransom payment.

First unsuccessful attempts

Before contacting us, the architect had already tried a logical approach to recovering his data. In particular, he had tried using PhotoRec, a free, open-source data recovery software renowned for its ability to recover lost files. Unfortunately, these attempts had failed.

Faced with this impasse, he also turned to Synology’s official technical support, and despite escalating his case to higher levels of support, no solution was found.

This was a particularly complex case, which went beyond standard recovery procedures, and required specialized skills and tools.

Our intervention: initial analysis

When the customer contacted us, we received two disks for analysis:

  • One copy (image of the 1 TB external disk) containing Hyper Backup backups
  • One of the 4TB RAID1 disks formatted in BTRFS.

This configuration immediately revealed the complexity of the case. On the one hand, we were dealing with a BTRFS file system, renowned for its robustness but also for the difficulty of recovering data in the event of corruption. Secondly, we had to analyze a potentially corrupt Hyper Backup.

First approach: recovery from the RAID disk

Our first analysis focused on the 4TB disk configured in RAID1 with a BTRFS file system. We managed to extract some files, which was good news in itself. However, we quickly identified a major limitation: file names and directory structure were lost.

This is typical of BTRFS recoveries after major corruption. This modern file system uses a fundamentally different approach to traditional systems, separating metadata (names, paths, dates, etc.) from the data itself. When metadata is corrupted, it is often possible to recover the raw data, but without its essential attributes.

Although technically successful, this approach would have required considerable time to reorganize and identify the files. For an architect needing rapid access to specific projects, this solution was not optimal.

Second approach: analysis of Hyper Backup

We therefore turned our attention to the 1 TB external disk containing Hyper Backup. Our analysis revealed around 580 GB of data in the form of BUCKET and INDEX files, characteristic of Hyper Backup’s proprietary backup format.

Bucket index files, Synology Nas Hyper Backup
.index and .bucket files
Bkpi hbk files, Synology Nas Hyper Backup
.bkpi and .hbk files

The first attempt using the official Synology Hyper Backup Explorer utility was met with an unequivocal error message: “stored data on the backup destination are corrupted”.

Synology altered data
Stored data on the backup destination are corrupted
File folder partially copied or restored
Partially copied file/folder

This message confirmed our initial intuitions: the attack had not only affected the primary data, but had also compromised the integrity of the backups. In many cases, this type of situation represents an insurmountable obstacle for standard tools.

The solution: development of specialized proprietary tools

To get around this type of impasse, our team of engineers implemented a solution developed in-house: our Synology Backup Extractor tool. This proprietary tool has been specially designed to deal with situations where official tools fail due to partial corruption of Hyper Backups.

Synology Backup Extractor Recoveo
Synology Backup Extractor by Recoveo

Technical analysis of the situation revealed several specific challenges:

  1. Compression enabled: the backup used compression, a feature that optimizes disk space but significantly complicates recovery in the event of corruption.
  2. Corrupted .bucket and .index files: these files form the architecture of the Hyper Backup, and their corruption compromises access to the underlying data.
  3. Partial access with Hyper Backup Explorer: the official tool managed to recover around 75 GB of the 500 GB present, but regularly stopped with errors, displaying the message “Partially copied the file/folder”.

Our approach was to reconstruct the file and folder address mappings to bypass the corrupted metadata sections. This highly technical method required an in-depth understanding of the internal structure of Hyper Backup’s backup format.

Results: successful data recovery

Thanks to our specialized approach, we were able to achieve particularly satisfying results:

  • Recovery of 580 GB of data
  • Restoration of 411,000 files in 79,417 folders
  • Preservation of original hierarchical folder structure
  • Recovery of original file names

This success contrasts sharply with previous attempts to recover only 75 GB of data using the official Hyper Backup Explorer tool, i.e. around 15% of the total volume of data present.

For our architect customer, this difference was crucial. He was able to regain access to all his professional projects, including plans, 3D renderings, contractual documents and customer communications – data essential to the continuity of his business.

Lessons learned and recommendations

This case, although extreme, highlights several important aspects of professional data management:

1. The limitations of standard tools

Consumer recovery tools such as PhotoRec, although powerful in certain contexts, show their limitations when faced with complex situations involving advanced file systems such as BTRFS, or proprietary formats such as Hyper Backup.

Similarly, manufacturers’ technical support, however excellent, rarely has the ultra-specialized tools needed to deal with the most severe cases of data corruption.

2. The importance of secure backups

Cybercriminals now deliberately target backup systems, well aware of their strategic value. It is therefore essential to put in place mechanisms that protect not only your core data, but also your backups:

  • Air gap backups
  • Read-only backups
  • Multi-factor authentication for access to backup systems
  • Regular back-up integrity checks

3. The 3-2-1 rule for backups

This situation perfectly illustrates why the 3-2-1 rule for backups is essential:

  • 3 copies of your data
  • On 2 different types of media
  • With 1 copy stored off-site

In this case, our customer did have an external backup, but it was connected to the main system and therefore vulnerable to the same attack.

4. Developing specialized tools

This case demonstrates the vital importance of developing specialized tools for data recovery.

Our Synology Backup Extractor was born precisely out of this need to go beyond the capabilities of standard tools to respond to exceptional situations.

Synology NAS data recovery in brief

The recovery of this Colombian architect’s data represents a striking example of the complex challenges posed by modern ransomware attacks, particularly when they deliberately target backup mechanisms, even with advanced backup systems such as those found on Synology NAS.

Faced with a situation that even the manufacturer’s technical support considered irrecoverable, our approach combining technical expertise and specially developed proprietary tools saved over 580 GB of critical business data.

This case is a reminder that, in the field of data recovery, the most desperate situations can often find a solution thanks to technical innovation and specialized expertise. It also underlines the operational importance of a robust, diversified and secure backup strategy, particularly in an environment where computer attacks are becoming ever more sophisticated.

If you find yourself in a similar situation with a compromised Synology NAS or corrupted Hyper Backup, please visit our dedicated Synology NAS data recovery page to find out more about our services.

For more information or in case of emergency, please contact us. Our emergency team is available 24/7/365.

Request a quote
Picture of Florent Chassignol
Florent Chassignol

Partager cet article

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2025 SOS RANSOMWARE & RECOVEO TECHNOLOGY GROUP | Made by Tell It