Ransomware encrypted or NOT encrypted? Magic header...

[aweber3]

Hi there at veeam forum, we had an encryption process by ryuk malware some times ago. Because of an strange reason, the big backup files do not have a ending .ryuk and in a hexeditor opened, they seems not to be encrypted, maybe partly because i can read some text there like xml tags.

In all the directories for the jobs, there is one .vbm-File - encrypted with ending .ryk- but one .vbk file (seems to be not encrypted, do not have the ryk-suffix) and some .vib-Files without ryk-suffix, too.

The .vbk-file and the .vib-files seems not to be encrypted, because, if i open this files in an hexeditor, i can read some things like xml-tags and so on.

But if i open the vbk in the veeam backup extraction utility, i see no recoverable machines, the listbox is empty.

My questions would be:
-how is the typical magic header of a vbk-file? the first, lets say, 1000 Bytes?
-do i need the vbm-file for recovery?
-is it possible to "repair" a backup file somehow?

Thanks.

[Gostev]

Hi, Alois.

Unfortunately, we will not be able to assist you with the recovery over forum posts nor are we able to share the requested backup file format information publicly.

Kindly contact our Customer Support, they have the dedicated SWAT team specializing on assisting our customers in recovering from ransomware attacks. They should be able to salvage some data from unencrypted parts of backup files, as long as at least some metadata banks have survived.

To share some good news, VBM file is not essentials for recovery as it's just a metadata cache... VBK and VIB files are what matters.

Thanks and good luck!