RLE compression - recovery after Cyber attack

[Dark-Sider]

Hi,

after a ransomware attack a customer's NAS was deleted (but not overwritten). The NAS in question stored all vital backups. EXT4 file system level recovery is notoriously difficult / impossible. So the only way to get customer's data is carving the NAS' disks.

File carving returns a lot of known file types like images, office documents, text-files. When looking a bit closer at the files it becomes clear that only the first few bytes of the files are "good". After that some sort of compression (should be veeams RLE - compression level 1) is in place.

I made some example backups in the hope of reverse engineering the .vbk - and in particular the RLE encoding. I already found the back pointers in the encoded data stream but there are still some missing links to be able to actually decode the data.

Can someone give me a hint how veeams RLE works? If there are any known sources for the vbk/vib file structures as well that would also be very helpful in finding and restoring vbk-blocks from raw disk space.

thanks,

Dark-Sider

[Mildur]

I think, you should open a veeam support case.
I heard, that Veeam support has a dedicated teams to help in case of a ransomware attack.
If someone can help you to rebuild the vbk (if it‘s even possible), then it‘s the technical support.

Open the case with severity level 1.

[Dark-Sider]

Thanks, will do so. Meanwhile I found out that it is not RLE but rather LZ4. The LZ4 tokens perfectly match the encoded data...