(The Curious Case of… used to be part of our bi-weekly newsletter but we decided to make it a regular blog post instead so it can sometimes be more frequent. It covers something interesting one of us encountered when working with a client, doing some testing, or were asked in a random question from the community.)
Several times a year, and most recently a couple of weeks ago, we are contacted by an unfortunate company that’s been the victim of a ransomware attack. In each case, either they negotiated and were given some decrypted database files, or went through a third-party specialist that decrypted some databases. Invariably, the encryption/decryption process did not preserve the database files as they were before the attack and SQL Server won’t recognize them.
There are a variety of errors I’ve seen, including:
Msg 824, Level 24, State 6, Line 1
SQL Server detected a logical consistency-based I/O error: incorrect checksum. It occurred during a read of page (1:0) in databases. This is a severe error condition that threatens database integrity and must be corrected immediately.
(which is a corrupt file header page)
Msg 5028, Level 16, State 5, Line 1
The system could not activate enough of the database to rebuild the log.
(when trying to use emergency mode repair to build a new log)
One thought on “The Curious Case of… recovering from a ransomware attack”
Paul, I completely agree. In my consulting days it was 100% loss of data when it came to SQL Server. Always make sure you have backups, and that you test them regularly. A wise man once taught me that…