Digital Recovery was engaged to respond to a critical incident involving a mid-sized company in the woodworking sector, with more than 30 employees, whose IT infrastructure was severely compromised following a ransomware attack.
The attack occurred through the exploitation of a vulnerability, allowing unauthorised access to the organisation’s internal environment. Following the intrusion, the attackers deployed LockBit 5.0 ransomware, one of the most advanced and aggressive variants currently active, known for targeting complex and highly virtualised corporate environments.
The impact was immediate. The virtual machines within the environment, including VMDK files, were encrypted, making access to systems essential for the company’s operations impossible. As a direct consequence, the organisation was completely paralysed for five days, incurring a significant financial loss and facing real risks to business continuity.
The first contact with Digital Recovery took place one day after the attack. The client was in a state of extreme emotional distress, visibly desperate, without access to the virtual machine data, and deeply concerned about the possibility of permanent data loss and the future of the company.
Compromised technical environment and key challenges
From a technical standpoint, the scenario presented a high level of complexity. The attack compromised two VMware ESXi servers responsible for hosting the company’s critical virtual machines, as well as a Synology device used as a backup repository. In total, approximately 5 TB of data were encrypted by the ransomware.
Although the company had backups in place, the backup environment was also encrypted during the attack, completely eliminating the possibility of a conventional restoration. In addition, the organisation did not have a structured ransomware incident response plan, which limited the immediate options after the infection and increased the urgency for a specialised solution.
The project’s greatest technical challenge was gaining access to the virtual machines within a complex virtualised environment, involving multiple servers and a large volume of encrypted data. After the initial backup analysis failed to produce viable results, it became necessary to deepen the investigation directly on the ESXi servers to identify alternative recovery paths.
Recovery process carried out by Digital Recovery
The work carried out by Digital Recovery began with a comprehensive technical analysis of the entire environment, rather than focusing solely on the compromised backup. This approach was decisive to the success of the project, as it made it possible to identify that, despite the encryption, there were still real technical possibilities for recovery directly from the virtual machines.
The team conducted an in-depth analysis of the data structure, the way the ransomware affected the VMDK files, and the conditions of the virtualised environment. Based on this analysis, the safest and most effective strategy to proceed with the recovery was defined.
The combination of the technical team’s advanced expertise, the use of proprietary internal tools, and a methodology specifically designed for virtualised environments made it possible to overcome the technical challenges and move forward in a controlled manner throughout the data recovery process.
Throughout the entire project, communication with the client was conducted in a clear, objective, and transparent manner, with constant updates on the progress of the work and strict adherence to the agreed timelines. The team also adapted its follow-up approach to better address the client’s emotional needs, providing reassurance and confidence during a critical moment.
Final outcome and resumption of operations
In just 72 hours, Digital Recovery was able to complete a full analysis of the environment and recover the essential priority data, allowing the company to resume its operations and significantly reduce the financial and operational impact of the attack.
Upon receiving the recovered data, the client’s reaction was one of immediate relief and gratitude, recognising the team’s commitment, professionalism, and transparency throughout the entire process. Even in the face of a highly adverse scenario, the case was successfully resolved through technical expertise, an appropriate methodology, and effective communication.
This case reinforces an increasingly common reality: advanced ransomware attacks, such as LockBit 5.0, often compromise not only production systems but also the backups themselves. In such situations, a company specialised in ransomware decryption becomes the only viable alternative to ensure business continuity.
Digital Recovery operates precisely in these critical scenarios, offering specialised solutions for the recovery of virtual machines, servers, storage systems, and corporate data after ransomware attacks, always with total confidentiality and an absolute focus on the rapid resumption of operations.
