If you find yourself fighting to restore business operations after a ransomware attack, you may get discouraged and begin to wonder if anything will go your way if you try to restore from backups and see a “Storage version is not supported for read-only access” error.
Now, me personally, I’m an experienced consultant…like an IT Mr. Spock (maybe Joe Montana), always keeping my emotions under control and maintaining calm so as to exude professionalism. Thus, this error didn’t bother me at all, in fact, I embraced yet another challenge being thrown my way while simultaneously dealing with a dozen others! Of course, I’m joking a little in that I didn’t joyfully embrace this issue and if memory serves, I slammed my mouse on the desk. It was a mistake, I should not have done it as I believe its a good practice for a consultant to maintain calm in the midst of chaos…I should have gone outside and thrown a rock or something.
Nonetheless, I have an error and need to do something about it so in an attempt to keep my workload manageable, I decided to open a case with Veeam support. To make a long story short, support asked pretty quickly, “What happened to these files?”…my reply…”cough-ransomware-cough”. The call ended shortly thereafter and the explanation I received was something to the effect of “if backup files are encrypted with ransomware, we can’t ensure their integrity even if a decrypt tool is executed and appears to work….basically, you’re hosed.” Honestly, this was the answer I was expecting but was hoping beyond hope perhaps that a solution could be found and data restored.
Though hope for restores was seemingly dead, I didn’t throw my hands up and quit. But I kept digging thinking that maybe, just maybe, there was a third party tool that could read from the backup files…kinda like a Veeam version of ExMerge that could read at least some portion of the backup file and let me restore something if not everything. Maybe I should be embarrassed to admit this seeing I’ve become Veeam Vanguard, but I didn’t know that the tool I was looking for, Veeam Extract, was “hidden” in the %PROGRAMFILES%\Veeam\Backup and Replication\Backup directory. I think what keeps me from feeling total shame is that the support engineer didn’t use or mention it either so maybe Extract’s existence is a secret to many…
Taken directly from the Veeam Help Center Extract page: “Veeam Backup & Replication comes with an extract utility that can be used to recover machines from backup files. The extract utility does not require any interaction with Veeam Backup & Replication and can be used as an independent tool on Linux and Microsoft Windows machines.”
To extract data:
- Run the Veeam.Backup.Extractor.exe file from the installation folder of Veeam Backup & Replication.
- In the Backup file field, click Browse and specify a path to the backup file from which you want to restore machine data.
- If the backup file is encrypted, the extract utility will require you to provide a password to unlock the backup file. Enter the password that was used for backup file encryption.
- In the Target folder field, specify a path to the destination folder where machine data must be restored.
- From the Machines list, select machines whose data you want to restore.
- Click Extract. Machine data will be restored to the specified folder.
That’s really all there is to it. Of course, the extract process isn’t blazing fast so I would suggest you find other things to do while it’s running. The largest disk I extracted was around 700GB and it took hours to complete.
When the process completes, you will have VMX, VMXF, NVRAM, and VMDK files in the specified target folder. At this point, you can upload them to a VMware datastore and add the VM to your vSphere inventory. If you only need to restore a few files/folders, you may find it quicker to use a utility like PowerISO which is able to examine the contents of a VMDK and extract only the files/folders you need.
Veeam Extract wasn’t able to read every backup file in the original backup repository, some files were just too far gone I suppose. Regardless, Veeam Extract was able to restore several virtual disks and many files that proved impossible using the standard recovery methods available within Veeam Backup and Recovery.