Veeam Backups

Deleted Veeam Backup Files (.VBK) on a Synology NAS

We were recently contacted by an IT partner based in Germany regarding a critical incident involving data loss following a ransomware attack. The targeted company believed it had two separate backups that would allow for a rapid business recovery, but events revealed several unexpected challenges.

First backup: an external hard drive damaged during the incident

The service provider had a first backup stored on a 20 TB Toshiba external hard drive. Completely disconnected from the internet, this medium should normally have been the ideal restoration solution—isolated, accessible, and protected against ransomware propagation. However, in the panic caused by the incident, the drive was accidentally dropped. The impact resulted in a major mechanical failure, rendering the device unreadable.

Confronted with this urgent situation, the service provider decided to contact a data recovery company that claimed to be located in Germany, when its main laboratory was actually located in the United Kingdom. Despite the “free diagnosis” claim displayed on its German website, a quote of €1,340 was immediately required for a simple diagnostic, with an additional €450 charged in the event of a successful recovery.

Misleading marketing promises! A success rate that could not be justified! Outside the EU!

Beyond the questionable nature of these practices, the announced deadlines were not met. In addition to that, the partner could not get hold of them easily, which seriously eroded trust in that particular external service provider. After more than fifteen days of waiting without any tangible results, it became clear that this approach would not deliver any concrete solution.

This situation highlights the importance of choosing a recognised and transparent data recovery laboratory.

Second backup: a Synology NAS with deleted Veeam backups

The second backup involved a four-bay Synology NAS, model DS425+. The backups were performed using Veeam Backup & Replication (VBR) version 12.3, producing VBK and VIB files. To increase the level of security, the end customer had enabled password-protected backups, securing the files with Veeam’s native AES-256 encryption.

When the service provider attempted to recover the data, they quickly encountered a series of problems. More than a dozen data recovery software tools were tested, without success. The extracted files appeared partial, corrupted, or completely unreadable. Only two small VIB files could be recovered, but they ultimately proved unusable for a complete restoration. Faced with this dead end, the service provider eventually sent us the entire NAS along with its four internal drives. We subsequently discovered that a dispute existed between the service provider and its own end customer. As a result, the provider attempted all possible in-house solutions before acknowledging that the situation required advanced expertise. This dynamic partly explains the numerous preliminary tests and the delay before the hardware was shipped.

Technical analysis: a Btrfs file system with data deletion

All four NAS drives were sent to us for analysis. The volume was formatted in Btrfs, an advanced file system that is particularly complex to deal with in cases of data deletion. In this specific case, several critical components pertaining to the file system were missing, making any standard recovery approach impossible. Our teams carried out a series of manual repairs on the Btrfs structure, one after the other. Thanks to recent improvements to ScanX, our proprietary analysis engine capable of efficiently handling file systems such as Btrfs, ReFS, Ext4, and NTFS, we were able to perform a coherent partial reconstruction of the volume. After several in-depth analysis passes, we identified five VBK files with potential for recovery. Among them, four files proved to be fully valid, including the most recent one. This result represented a decisive breakthrough in the case. While our teams sometimes jokingly attribute such outcomes to luck, the reality is based on a combination of strict methodologies, cutting-edge tools, and expertise built up through numerous complex cases. Recovering a valid VBK file from a Btrfs system, after multiple unsuccessful external attempts and extensive prior manipulation, clearly illustrates the added value of a specialised intervention.

Conclusion: stay calm and make the right choices

This case study highlights a key point: in a crisis situation, panic can lead to additional mistakes, and relying on non-professional service providers can worsen or delay the situation. Choosing a data recovery laboratory must therefore be done with great care. Thanks to our intervention, critical data were successfully restored from the valid VBK file extracted from the NAS. This outcome enabled the German partner to ensure service continuity for its end customer.