Recovering a Microsoft SQL Server (MDF) database after a Ransomware attack is one of the most stressful tasks for any IT administrator. When a virus encrypts your files (often adding extensions like .locked, .crypt, or .encrypted), the SQL engine can no longer mount the database, leaving your business data inaccessible.
If you don’t have a clean, offline backup, your only hope is to repair the underlying data structure. Here is a technical guide on how to approach SQL recovery in an emergency.
Phase 1: Secure the Environment
Before attempting any recovery, you must isolate the infected machine:
- Disconnect from the network to prevent further spread.
- Copy the affected .mdf and .ldf files to a clean, external drive. Never work directly on the original encrypted files.
- Check for Shadow Copies: Sometimes ransomware fails to delete Volume Shadow Copies. Try using tools like ShadowExplorer to see if an older version of the MDF file exists.
Phase 2: Technical Recovery Methods
Method 1: Using DBCC CHECKDB (If the file is partially readable)
If you managed to decrypt the file or have a slightly corrupted version, try to repair it via SQL Management Studio:
SQL
-- Set the database to emergency mode
ALTER DATABASE [YourDB] SET EMERGENCY;
GO
-- Set to single user mode
ALTER DATABASE [YourDB] SET SINGLE_USER;
GO
-- Attempt repair with data loss (Last resort)
DBCC CHECKDB ([YourDB], REPAIR_ALLOW_DATA_LOSS) WITH NO_INFOMSGS, ALL_ERRORMSGS;
GO
Method 2: Professional SQL Repair Software
If the SQL engine refuses to even attach the MDF file (Error 823 or 824), standard scripts won’t work. You will need a specialized tool that can scan the raw hex data of the MDF file to reconstruct tables and stored procedures.
Recommended Security Tools
To recover your data and prevent future attacks, we recommend these industry-standard solutions:
- Backup Protection: Veeam Backup & Replication – Essential for creating immutable backups that ransomware cannot encrypt.
- Proactive Security: Bitdefender GravityZone – Top-rated EDR (Endpoint Detection and Response) to stop ransomware before it starts encrypting files.
- Hardware Firewall: SonicWall TZ series – Protect your SQL server from external brute-force attacks on Port 1433.
- Reliable Storage: Synology NAS with Snapshot Replication – Provides a physical layer of protection for your database backups.
Expert Tip: Prevention is Key
Ransomware often enters SQL servers through open RDP (Remote Desktop) ports or weak SA (System Administrator) passwords. Furthermore, always ensure your SQL service is running under a “Least Privilege” account. If you are currently under attack, do not restart the SQL service immediately, as some ransomware only finishes encryption upon reboot.
Dealing with other IT issues? Check our guides on Fixing Printer Error 0x0000011b or Brother TN-3480 Reset Guide.
As an Amazon Associate, I earn from qualifying purchases.