An Italian company specialized in workplace safety consulting and mandatory training and certification programs sought Digital Recovery’s assistance after suffering a severe Akira ransomware attack. The incident was identified on a Monday morning, when the team returned to the office and found the entire critical environment inaccessible.
The VMware environment was completely unavailable, the folders stored on the NAS had been encrypted, and all systems responsible for training, certifications, and customer documentation were offline. In practice, the company’s operations had been completely halted.
The initial contact was made by the IT administrator, who showed significant concern. He had spent the entire weekend trying to understand the origin and scope of the attack, but upon returning to the office, he confirmed the worst possible scenario: all critical systems had been encrypted.
According to the technical lead, the company depended directly on this data to maintain its clients’ legal compliance. The loss of training records and certifications would make it impossible to continue operations, in addition to creating immediate contractual and legal risks.
The urgency of the case was evident from the very first contact.
Initial Technical Assessment
During the initial technical analysis, the Digital Recovery team identified that the environment consisted of a virtualized VMware infrastructure, multiple VMDK files encrypted by the Akira ransomware and a NAS used for both storage and backups.
Akira is a ransomware known for adopting aggressive strategies, including the deliberate corruption of backup structures, with the goal of eliminating recovery alternatives and forcing the payment of the ransom. This behavior significantly increased the complexity of the scenario and reinforced the company’s concern about being unable to recover its data through conventional means.
After the detailed analysis conducted by Digital Recovery’s engineers, it was possible to identify two critical factors that made the recovery feasible. The snapshots stored on the NAS contained technically recoverable data, and the essential headers of the VMDK files had not been destroyed during the encryption process.
Based on these findings, a multi-layer recovery strategy was defined. The process involved the structural reconstruction of the VMDK files, enabling the restoration of the logical integrity of the virtual disks. In parallel, the NAS snapshots were extracted directly, bypassing the traditional mechanisms compromised by the attack.
Subsequently, all servers were rebuilt individually, with full validation of operating systems, applications, and services. Finally, the training and certification platforms, as well as all customer documentation, were restored and tested to ensure consistency, integrity, and operational reliability.
All work was carried out with strict technical and forensic control, ensuring traceability, security, and the preservation of the recovered data.
Final Result
The project was completed with a full recovery of the environment. All servers and documents were successfully restored, as well as the training and certification platforms used by the company. No ransom payment was required, and there were no interruptions related to regulatory or contractual compliance requirements.
The Italian company was able to fully resume its operations, preserving business continuity, customer trust, and its reputation in the market.
This case demonstrates that, even in the face of a highly destructive ransomware such as Akira, a specialized technical approach combined with advanced data recovery engineering can prevent irreversible losses and eliminate the need to negotiate with criminals.
Digital Recovery reinforces, with this project, its position as a company specialized in the recovery of ransomware-encrypted virtualized environments, operating in a technical, strategic, and independent manner, always focused on the complete restoration of data and the preservation of the operational integrity of affected companies.
