Skip to main content

Hello all,

This is a weird situation. A couple months ago, we had a production system issue and we used Veeam’s instant recovery to bring a database server back online. Being a small IT shop, once the server was up and available we transitioned to user support and long story short, we never finalized the restore and moved to production. Fast forward a couple of months and we were hit by a ransomware attack and all of our VM files (.vmdk, .vmx etc) have been encrypted. We were able to find a snapshot of our storage that seems to be intact from a few days before the attack, but the actual files in that snapshot for this particular server do not boot, which is what it did to trigger the instant recovery months ago.

My question is, where would this VM have been running? Is there a hope of it also being on the snapshot somewhere? We do not have a well-versed Veeam person on staff, our entire IT department has been here a maximum of 4 years and none of us were involved in the deployment of this system. We also currently do not have any of our account information to log in and open a support case.

Hello @Rj300 

Instant Recovery runs from the backup file itself on the backup storage and mounted to an empty VM created by Instant Recovery job.


If all of your VMware files are encrypted on storage and assuming the Veeam server is on there too, unless you have an offsite backup somewhere in the cloud it is going to be very hard to recover.  The Veeam server needs to boot from the VMDK, VMX files, etc. but you indicated they are encrypted.

If you can revert the snapshot to a point in time where they did not get encrypted, then you should be able to boot your Veeam server and then do another instant VM recovery.

Otherwise, you will need to spin up a new Veeam server and import the backups from the Cloud if you have any offsite.

Best of luck and we are here to help as we can.


The instant recovered VM should be backed up normally. So you can just restore it from the available backups on your VBR server - if this is available after the ransomware attack.

The files of the VM in your storage snapshot are probably the ones from the time before you did the instant recovery and are not usable.


Comment