Ransomware Data Recovery Case Studies
Ransomware can halt business operations in their tracks, but it doesn’t have to mean everything is lost. Explore two real-world cases that show how Gillware recovers data when standard solutions fall short.
Ransomware incidents rarely follow a predictable path. Each one presents a unique mix of technical challenges, time pressure, and real-world consequences. The following case studies highlight how Gillware’s engineers approach these high-stakes situations, combining deep technical expertise with creative problem-solving to recover data others deemed unrecoverable.
Law Office Ransomware: Btrfs Zero-Fill
The Problem: A law office came to us facing a serious issue: their Synology NAS had been hit by ransomware, and the first 140 GB of an 8TB volume had been zero-filled. That initial portion of the drive contained critical filesystem metadata, causing the entire volume to appear empty and unmountable.
Synology systems use the Btrfs filesystem — powerful, but notoriously fragile. It relies on structures like the Chunk Tree to track data, and part of that structure had been destroyed in the overwritten region. To standard tools, the volume looked unrecoverable, leaving the firm feeling their only option was to pay the ransom.
Our Approach: Our engineers took a different path. We developed custom software to scan the full 8TB volume for any surviving fragments of metadata, then designed a method to translate those fragments back into usable pointers. Instead of attempting a traditional top-down mount, we rebuilt the filesystem from the bottom up — piecing together directories and files from what remained intact.
The Result: We reconstructed a usable directory tree and recovered access to the folders the client urgently needed. In total, more than 90% of the firm’s critical legal data was restored. This outcome was only possible because our engineers could adapt our in-house platform, write new code on the fly, and execute under pressure — turning what looked like a total loss into a successful recovery.
Talk to Ransomware Recovery Expert Today!
Our client advisors are available by phone during business hours
(M – F: 8am – 5pm).
Send us an email including the type of device you have and the problem you are experiencing. A client advisor will respond within 25 minutes during business hours
(M – F: 8am – 5pm).
Have a quick question about the data recovery process? Use our chat feature to chat with one of our client advisors (not a robot!) during business hours
(M – F: 8am – 5pm).
Want to schedule a call for a time that is convenient for you? Click the button above to schedule a brief consultation with one of our client advisors.
Click here to schedule a call
Speedy Trial Ransomware: ESXi Double Encryption
The Problem: A county government’s ESXi server was hit with ransomware, encrypting all of its virtual machines, including critical data such as depositions, trial records, and evidence files. Without recovery, prosecutors would have been unable to meet constitutional deadlines for a speedy trial, and criminals could have walked free.
The technical challenge was significant. ESXi stores data in VMDK files, which in this case were thick-provisioned virtual disks — massive files, each hundreds of gigabytes in size. The attackers had encrypted the first 10% of every file, where essential structures like the Master File Table are located. Although most of the data remained untouched, the encrypted portions made the files appear corrupted and unusable.
The client had already paid the ransom and attempted decryption. Some files were recovered, but several remained inaccessible. Another lab had concluded there was nothing more that could be done.
Our Approach: Our engineers took a closer look. We discovered that the affected files contained two sets of ransomware metadata at their endpoints; a strong indicator that they had been encrypted twice. The attackers’ decryptor wasn’t built to handle this scenario and failed when encountering multiple encryption layers.
To solve the problem, we reverse engineered the decryptor, analyzed its behavior, and modified it to process a single layer of encryption at a time. By running the patched version twice, we were able to systematically remove each layer and restore the data.
The Result: Every corrupted file was successfully recovered, allowing the county’s court system to continue operating without disruption. This case highlights Gillware’s ability to combine deep reverse engineering expertise with real-world urgency, delivering results when the stakes extend far beyond the data itself.
If you would like to contact us to receive a no-pressure consultation, click the button below. This will take you to a page with our phone number and email. This page also provides you with the option to schedule an appointment with a Client Advisor at a later time or date, or chat with them online.
Click the button below if you would like to send in your device. Sending in your device is financially risk-free. You will be asked to fill out a short form. Once you have completed the form, we will send a shipping label to the address provided. After we receive your device, we will begin a free evaluation and contact you with a firm price quote.
Looking for a different type of data recovery?
