This case study documents the successful technical restoration of a Veeam Backup  following a severe attack by the .makop ransomware. Through advanced block-level reconstruction, our team successfully recovered the client’s critical ERP data with near-perfect integrity.

Client & Data Information

• Client Name: Confidential
• Data Type: veeam backup  VBK
• Data Capacity: 4.5TB
• Ransomware Extension: .makop

Incident Summary

The client’s server was compromised by the .makop ransomware, which encrypted all production files and altered their extensions. This variant specifically targets backup files and vbk to force ransom payments. The company’s ERP system was completely offline. However, upon forensic inspection of the 4.5TB vm file, our engineers discovered that while the file was corrupted, the internal data pages remained highly intact.

Technical Analysis

Forensic analysis of the .restorebackup encryption behavior revealed:

• Targeted Corruption: The ransomware primarily focused on the file headers and structural pointers, leaving large segments of the data payload recoverable.
• Structural Integrity: The internal  vbk  was identified as stable during sector-level scanning.
• Recovery Potential: VBK Recovery Tool, our team determined that the database blocks could be manually rebuilt to bypass the encryption layer.

Recovery Solution

The recovery strategy utilized a block-rebuilding extraction method. Since the .makop virus corrupted the file system’s ability to read the database, our engineers worked directly with the raw data blocks. By reconstructing the encrypted segments and repairing the internal database pointers, we were able to extract the relational data into a fresh, clean environment.

Recovery Process

• Forensic Integrity Scan: Deep analysis of the 4.5TB to map the distribution of .makop encryption.
• Encrypted Block Reconstruction: Manual repair and rebuilding of the corrupted database sectors and file headers.
• Advanced Data Extraction: Using specialized tools to pull vbk,
• Schema Validation: Mounting the recovered data into a new SQL 2017 instance to verify relational consistency.
• ERP Functionality Test: Final confirmation that the restored vm is fully compatible and ready for production use.

Recovery Results

• Recovery Integrity: Near 100%
• Recovered Files: VM Primary Data Files
• System Status: Fully restored; ERP system returned to normal operation.
• Total Recovery Time: 8 Hours

Expert Reminder from Shenzhen Excellent Data Recovery Center: Regular, immutable backups are essential for business continuity. If your server is hit by the .makop virus, contact professionals immediately. We provide a 100% original VM recovery guarantee for specific failures, and we can handle databases of any size immediately.