Case Study

Ransomware and DIY Disaster: Full Recovery From Linux-Based RAID 5 Server

Published On : Oct 10, 2025

Ransomware gangs like LockBit and Royal have been targeting hospitals and labs at record rates. One of their latest victims was a leading healthcare services company in India.

Situation Overview

In the company’s corporate office, an IT administrator overseeing a Linux-based RAID server was confronted with a crisis. The system’s main data volume, which spanned five 8 TB hard drives, suddenly became inaccessible.

The cause was a ransomware attack that encrypted a majority of data files with the “.royal” extension, which is linked to a notorious, globally active ransomware group.

Upon further inspection, the IT admin found that more than 16 TB of active files had been encrypted. Worse still, attempts to restore from local backups revealed the devastation was total: the ransomware hadn’t just encrypted active files, it had also deleted backup files and cleared the system’s Recycle Bin.

Almost 13 TB of backup data was missing, apart from the 16 TB of encrypted data.

System Overview

The affected setup was a Linux server using the BTRFS file system. Data was spread across five 8 TB hard drives in a RAID 5 configuration.

Notes

BTRFS is a modern Linux file system known for advanced features like snapshots and checksums, but its RAID 5 mode is less forgiving than classic hardware RAID controllers.
RAID 5 stripes data and parity information across all drives. However, in this case, a non-standard parity distribution (called "backward dynamic parity") made the array even more complex. This layout is supposed to protect against a single drive failure, but it can backfire if the drive order or configuration is changed during troubleshooting.

Client’s Reaction to the Ransomware Attack

The IT team, desperate to fix the issue themselves, tried two separate RAID rebuilds, before contacting Stellar Data Recovery.

In the first attempt, they added an extra 8 TB drive to the array. They hoped it would restore access. But this disrupted the original parity structure and further confused the RAID controller.
In the second attempt, they ran repair tools that overwrote important RAID metadata and reversed the drive order. This is a very common pitfall with BTRFS arrays, which can quickly render data unrecoverable if block group information is damaged.
As panic set in, the operating system was reinstalled over one of the storage drives. During this process, some storage partitions were formatted, which wiped away snapshots and BTRFS superblocks (the file system’s core metadata).

At this stage, with in-house efforts exhausted and all vital data at risk, the healthcare services provider’s IT team reached out to Stellar for professional ransomware data recovery service.

Stellar’s Recovery Approach

Unfortunately, as in this case, DIY repair attempts in case of RAID data loss can do more harm than good. We recommend that IT admins should RAID data recovery services immediately if they suspect a data loss situation.

In this case, because of all the aggravated damage to the system, our strategy had to be methodical and precise, and our technicians ensured it was.

1. Disk Imaging

The very first step was to protect what remained. We used our specialized hardware imagers to create 1:1, sector-by-sector clones of all five original 8 TB HDDs, along with the sixth drive the client had added. This preserved the original state of the platters and allowed us to work on the clones without risking further damage.

2. RAID Reconstruction

This was the core of the technical challenge. The client's actions had destroyed the RAID metadata, but we knew BTRFS keeps copies of its superblocks scattered across the disks.

We used powerful proprietary software to extract these fragmented metadata copies.

After meticulous analysis, we were able to manually reconstruct the "backward-dynamic" RAID 5 array's original striping, parity rotation, and drive order, ignoring the incorrectly added sixth drive.

3. Undelete and Decryption

With the array virtually rebuilt, we faced a dual problem: encrypted files and deleted files. We deployed advanced file-carving tools to recover the files the ransomware had deleted from the recycle bin.

Simultaneously, we identified the specific strain and, utilizing known decryption methods for the variant, were able to bypass the encryption on the 16.1 TB of encrypted data. The decrypted user data and databases were located and verified.

Outcome

Total Data Recovered: 29.1 TB (100% of at-risk data)
File Types Restored: MySQL databases, user backups, critical logs, application data
Impact: All lab operations resumed without further loss or compliance risk

This case highlights how a disciplined RAID data recovery approach and expert ransomware data recovery methods can turn a severe cyberattack into a complete recovery success. Stellar Data Recovery’s disciplined imaging and deep expertise in BTRFS RAID 5 turned a catastrophic ransomware event into a full restoration.

Interested in more challenging recovery cases? Here are some other RAID and ransomware data recovery stories you might find insightful:

Business Need

A leading healthcare services provider urgently needed access to their encrypted data, comprising MySQL databases, user backups, and critical logs. The ransomware attack put all the sensitive information at stake and deleted the backups. The IT team made an attempt to restore the data but only made it worse.

Solution Approach

We took a methodical approach to the problem. We used specialized tools to perform sector-by-sector cloning, followed by virtual RAID reconstruction, and finally decrypted ransomware-locked data and recovered the deleted backups.

Result

We successfully recovered data containing MySQL databases, critical logs, application data, etc., within the promised deadline.

Select Category