I'm in a tough situation here. One of our clients was hacked after an open VPN SSL port was left exposed on the firewall. The attacker encrypted all of the client's data and also deleted the Veeam backups, which means we currently have no accessible files or backups. Unfortunately, they also didn't have offsite or cloud replication set up. I'm hoping to find out if there's any chance to recover the encrypted or deleted files from the original system or remnants of the Veeam backup data. Has anyone experienced something similar and successfully recovered files using forensic or recovery software? Can .vbk or .vib files be recovered from the storage if they weren't overwritten? Any advice, even if it's just lessons learned, would be really appreciated. Thanks in advance!
3 Answers
Your chances of recovery depend heavily on whether the files were overwritten. I had a similar case where a lot of data was lost, but we managed to get some files back from systems that had been misconfigured or were offline. It's all about being lucky sometimes within those chaos moments. Continue to image everything you can now, and remain hopeful for a decryptor down the line, though honestly, such tools can be few and far between.
Honestly, paying the ransom might seem tempting, but it often just encourages attackers to continue their tactics. If your client is set on not paying, you’re looking at a tough road for recovery. There are ransomware strains out there like Qilin that don't have known decryption methods without paying up. It's largely about being prepared to move on if you can't recover using more traditional methods, especially since modern ransomware makes data recovery pretty difficult without backups.
Exactly! Paying just fuels the fire. Focus on recovery efforts and improving security protocols so this doesn't happen again. Good luck!
It sounds like a really rough situation. The first thing to consider is having proper offsite backups in place, which it seems like your client missed out on. As for recovery, you might want to look into professional data recovery services. I've used Ontrack for similar issues before, and they did a decent job of previewing recoverable files before any costs were incurred. If you’re looking at free options, I suggest trying TestDisk, PhotoRec, and ddrescue, but be cautious and clone your disks before using any recovery tools to avoid further data loss. Also, if your backup server isn't set up off-domain with unique credentials, you should really think about that moving forward. They probably left a backdoor, so ensure you inspect for any new accounts or services that could signal ongoing issues.
That’s a good point about their security setup. I’ve been pushing for stronger protocols since joining my MSP, but it’s easy to overlook details. I’ll definitely check out Ontrack and the recovery tools you mentioned.
That’s an encouraging perspective! I guess we’ll just have to keep our fingers crossed for a recovery tool. Thanks for sharing your experience!