Digital Recovery was engaged to respond to a critical incident involving a mid-sized German automotive company whose IT infrastructure was severely compromised by a ransomware attack. All communication and case management were conducted directly with the company responsible for providing IT support to the end client.
According to the initial analyses and technical reports provided by the IT support team, the attack originated from the exploitation of the firewall, allowing the attackers to gain initial access to the backup environment and subsequently to the production server. This type of approach demonstrates a targeted attack, focused on first compromising recovery mechanisms to maximize operational impact.
After gaining unauthorized access, the attackers deployed LockBit 5.0 ransomware, one of the most advanced and destructive variants currently in circulation, known for its ability to encrypt entire virtualized environments in a very short period of time.
The impact was total. All virtual machines in the environment, including their VMDK files, were encrypted, completely compromising the critical systems used by the company.
The technical scenario presented was highly sensitive and complex. The attack affected:
- 1 Lenovo server, responsible for the production environment
- 1 Synology NAS device, used for backup purposes
- Approximately 1.3 TB of corporate database data
- All virtual machines in the environment, rendering the system unavailable
Although two backups existed, neither was viable for restoration. One of the backups was also encrypted during the attack, while the second consisted of a tape backup with a delay of approximately eight months, making its use unfeasible from an operational and business continuity standpoint.
A empresa não possuía um plano estruturado de resposta a incidentes de ransomware, o que limitou as alternativas imediatas após o ataque e reforçou a necessidade de uma abordagem especializada em recuperação de dados encriptados por ransomware.
Recovery Process and Digital Recovery’s Response
As part of Digital Recovery’s standard protocol, the initial request was for all physical devices to be sent for a complete analysis, including the production environment and backups. This approach makes it possible to assess all potential recovery paths, significantly increasing the chances of success.
Given the impossibility of shipping the original server, the team quickly adapted the strategy to work with the copied volumes, maintaining the technical rigor required for an environment compromised by advanced ransomware.
The recovery was made possible primarily by the experience of Digital Recovery’s technical team in cases involving LockBit 5.0, combined with the use of proprietary internal tools developed specifically for advanced encryption scenarios. A detailed analysis of data structures and the ransomware’s behavior on VMDK files made it possible to define the safest and most effective approach to proceed with the recovery.
In addition, the team operated on a 24×7 basis, accelerating the case analysis and reducing the total data downtime.
Final Outcome
O processo completo de recuperação teve duração de 10 dias corridos, desde a entrada do projeto até a aprovação final dos dados recuperados. Ao final, os dados críticos foram restaurados com sucesso, permitindo que a empresa retomasse suas operações e garantisse a continuidade do negócio.
The client proved to be extremely satisfied with the outcome, highlighting the importance of regaining access to the data in order to keep the company operational. A relevant point observed throughout the project was the change in the client’s perception: during the initial contact, there was little optimism regarding recovery, a common scenario in incidents involving advanced ransomware attacks.
As the project progressed, clear communication, technical mastery of the environment, and transparency in the information provided were fundamental in gaining the trust of the client and their IT support team, transforming an initially pessimistic scenario into a success story.
Conclusion
This case reinforces that ransomware attacks such as LockBit 5.0 not only encrypt data, but also compromise backups and involve multiple parties, such as insurers and law enforcement authorities, significantly increasing the complexity of the recovery process.
Digital Recovery operates precisely in these critical scenarios, offering professional recovery of encrypted data even when backups fail, environments are highly virtualized, and legal or operational constraints are present. Technical expertise, an appropriate methodology, and strategic communication were decisive factors in the success of this project.
