Recoveo

Veeam: “All instances of the storage metadata are corrupted” – What to do about this critical error?

fchassignol — Thu, 24 Apr 2025 09:38:40 +0000

Veeam Backup & Replication has gradually established itself as one of the most popular solutions for many companies, ensuring the backup and recovery of their virtual, physical and cloud environments.

Unfortunately, even the most robust systems can fail…

One of the most critical error messages that Veeam users sometimes encounter is: “All instances of the storage metadata are corrupted”.

How should this error be interpreted, and why is it so serious?

Veeam storage metadata works roughly like a backup GPS. Without it, Veeam is at a total loss, unable to locate or correctly assemble backed-up data.

What makes this error particularly alarming is that Veeam normally creates two copies of this metadata precisely to avoid this type of situation.

When the message reads “All instances are corrupted”, this means that both copies are unusable. It‘ s as if your Plan A and Plan B had failed simultaneously.

The help of a specialist to quickly solve this Veeam backup problem will be of great assistance.

What are the potential causes of this metadata corruption?

There are several possible causes of this error…

Problems with backup storage are a common cause. This can include hardware malfunctions (faulty hard disks, failed RAID controllers), storage firmware problems, or communication concerns, particularly when using network shares via SMB on low-end NAS devices which may not handle synchronization commands (FLUSH) correctly.

Unexpected interruptions during the backup process, such as a reboot of the Veeam server, can also corrupt backup files.

In more recent cases, problems linked to specific Veeam versions or interactions with file systems such as ReFS approaching their maximum capacity have been reported.

Finally, a ransomware infection targeting backup files can also cause damage to metadata, which is usually particularly targeted in an attack… Many medium-sized companies find themselves faced with the same error after an attack that has encrypted their VBK files.

Our emergency hotline is available 24/7/365 to help you in such situations.

Contact our experts

Facing the emergency: the first steps to take

If you see this error during a restoration attempt, don’t panic. Your first action should be totry a different restore point. It’s not uncommon for only part of a backup to be affected.

If the error appears during a backup job, here are our recommendations, based on real-life situations:

Immediately create a new backup chain. This is the official Veeam solution, and usually works well to isolate the problem.
Examine your storage. Run a CHKDSK (Windows) or fsck (Linux) to identify any underlying problems. This simple diagnostic may reveal faulty sectors on a non-suspicious disk.
Dive into the event logs. They often contain valuable clues to what’s really going on. Thorough troubleshooting can reveal repeated I/O errors occurring before each metadata corruption.
Test your storage by manually copying large files. This can help reproduce and identify the problem. This technique can sometimes confirm that a faulty RAID controller is the real culprit.

Don’t overlook Veeam’s built-in tools, such as SureBackup or Veeam.Backup.Validator.exe. They’re there for a reason. A full scan can reveal problems before they become critical.

When all seems lost: last resort solutions

In the most serious situations, especially after a ransomware attack, special measures are called for. Recoveo has developed specialized techniques for recovering data from corrupted Veeam backups.

Our experts successfully extract entire virtual machines and critical databases from VBK files that Veeam itself considered unrecoverable. These interventions can make the difference between a rapid recovery and a prolonged disaster.

Constant technological innovation

Since 2019, we’ve been developing powerful tools to optimize Veeam backup recovery. Our first tool, Backup Recovery, enabled us to restore the integrity of VBK files and make them usable.

In 2023, we developed Backup Extractor, a more advanced solution designed to respond to new threats and the complexity of ransomware attacks. This tool is now capable of in-depth analysis of the structure of backup files, reconstructing tree structures and restarting virtual machines under Microsoft Hyper-V and VMware ESXi, for example.

An approach adapted to new challenges

With ransomware on the rise, we need to keep innovating. That’s why our experts work relentlessly to improve our tools and guarantee effective, rapid data recovery. We cover a wide range of Veeam versions, from 6.5 to 12.1.1, enabling us to intervene on a variety of infrastructures. What’s more, our Diagview tool provides post-recovery integrity checks, offering total transparency on restored files.

In-lab or remote intervention

We offer two types of recovery: in-lab and remote.

Laboratory intervention is ideal for the most complex cases, particularly where data has been permanently deleted.

Remote recovery, on the other hand, enables rapid, efficient intervention without immobilizing infrastructure, thus reducing logistical costs and ensuring continuity of service. Our high-speed connection and use of secure protocols such as SFTP guarantee data protection and integrity during transfers.

Thanks to our expertise and commitment to innovation, we offer a reliable, high-performance solution for Veeam backup recovery, enabling businesses to overcome cyber-attacks and recover all their data safely.

Contact our experts

Prevention rather than cure: proactive strategies before disaster strikes

The best way to deal with such an error is, of course, never to encounter it… Here are the practices we systematically recommend:

The 3-2-1 rule is non-negotiable. Three copies of your data, on two different media, including one off-site. This strategy has literally saved many companies.

Invest in quality storage. A professional server or a properly configured SAN system will considerably reduce your risks. The difference in reliability is remarkable and justifies the investment.

Schedule regular integrity checks. Corruption detected early can often be isolated before contaminating other backups. Preventive audits can identify incipient problems that could turn catastrophic a few weeks later.

Maintain active monitoring of your backup infrastructure. Warning signs such as slowdowns or minor errors can herald more serious problems to come.

A realistic approach to the inevitable

Years of experience with Veeam and the resolution of these critical situations show that a proactive approach, combined with a well-defined reaction plan, makes all the difference.

The “All instances of the storage metadata are corrupted” error may be alarming, but it’s not a death sentence for your data. With the right knowledge and resources, this potential crisis can be turned into a setback. We are at your disposal to help you solve this type of problem, so don’t hesitate to get in touch.

FAQ

What are the potential causes of Veeam metadata corruption?

There are several possible causes of this error. Problems with backup storage are a common cause. This can include hardware malfunctions (faulty hard disks, failed RAID controllers), storage firmware problems, or communication concerns, particularly when using network shares via SMB on low-end NAS devices which may not handle synchronization commands (FLUSH) correctly. Unexpected interruptions during the backup process, such as a reboot of the Veeam server, can also corrupt backup files. In more recent cases, problems with specific Veeam versions or interactions with file systems such as ReFS approaching their maximum capacity have been reported. A ransomware infection targeting backup files can also cause metadata damage.

If a full backup succeeds but displays the same metadata error on a restore attempt, what does this mean?

This suggests that even if the initial full backup was written without any apparent data-level errors, the metadata recorded at that time was already corrupt or subsequently became corrupt. This may indicate an underlying problem with the backed-up system itself, or an intermittent problem with the destination storage that affects the integrity of the written metadata.

What to do if you encounter this error with Veeam Agent for Linux?

The first step suggested by the Veeam teams is often to try a more recent BETA version of the software, as patches may have been made. If the problem persists, it is advisable to provide detailed information on the configuration of the affected machine (disk configuration with lsblk -af, output of dmesg -T, presence of RAID, backup mode, backup target and Veeam logs located in /var/log/veeam). Testing a different backup target (local USB disk, NFS share instead of CIFS) can help determine whether the problem is related to the destination storage. If other machines with a similar configuration back up to the same target without any problems, the problem is more likely to be specific to the affected machine.

What should I do if I encounter this error with Veeam Agent for Windows?

Similar to the Linux version, it is advisable to open a support ticket for in-depth log analysis, especially with the free version where direct support is limited. However, the cause is often storage corruption. Even if USB hard drives are replaced, the problem may lie in the NAS to which they are connected via SMB. The use of SMB to a low-end NAS has been identified as a frequent source of storage corruption. The main recommendation is to perform new backups, preferably to new, reliable backup storage.

Are there any tools for repairing corrupted Veeam backup files, particularly in the event of a ransomware attack?

Officially, Veeam does not provide standard tools for manually repairing the header or metadata of corrupt VBK or VIB files. In the event of corruption due to ransomware, it is advisable to contact Veeam support, although there is no guarantee of recovery. Third-party companies specializing in data recovery from ransomware attacks, such as Recoveo, may offer specific tools and techniques for attempting to extract data from corrupted or encrypted Veeam files. They point out that recovery attempts with generic software can often result in corrupted files.

How does Veeam use metadata, and why is its corruption such a problem?

Veeam uses metadata files (such as VBM files associated with VBK and VIB files) to keep track of information on restore points, backup configuration, backed-up objects and the location of data blocks in backup files. For redundancy, two identical instances of storage metadata are usually included in backup files and are never updated simultaneously. This approach is designed to ensure that at least one copy remains valid in the event of a crash or corruption during updating. Corruption of both instances makes it extremely difficult to understand the structure and content of the backup files, preventing normal restore operations.

What are the best practices for avoiding corruption of Veeam backup metadata?

Several measures can reduce the risk of corruption. Using reliable, high-performance backup storage capable of correctly handling write operations and synchronization commands is essential. Avoiding sudden interruptions to backup processes is crucial, which means ensuring a stable power supply for backup servers and storage. It’s also advisable to follow the 3-2-1 rule for backup: have at least three copies of your data, on at least two different media, including one off-site copy. Regularly test restores using features such as SureBackup to verify the integrity of backups and metadata. If you use NAS, make sure they are correctly configured and kept up to date.

L’article Veeam: “All instances of the storage metadata are corrupted” – What to do about this critical error? est apparu en premier sur Recoveo.

Data recovery after ransomware attack on Synology NAS: Retex

fchassignol — Wed, 23 Apr 2025 12:39:26 +0000

The worst is not always certain… but how do you react when the last ramparts give way, and ransomware has destroyed all your backup files?

The ransomware threat is regularly breaking new ground: groups are no longer content with encrypting data, but are also methodically attacking backup devices – the ultimate protection against a complete IT system paralysis.

This article is the story of an advanced technical intervention, which takes us behind the scenes of a digital rescue usually considered complex to achieve…

Or how our team was able to recover all the data of an architecture firm, after a ransomware attack that had meticulously destroyed any fallback solution?

This case study documents the complete recovery process that enabled us to restore 580 GB of business data (411,000 files in 79,417 folders) from media considered irretrievably compromised.

Compromised infrastructure: the impact of a targeted attack on a professional storage system

A Colombian architecture firm recently contacted us following a cyber attack of uncommon intensity… Unlike more conventional attacks where data is simply encrypted, the attackers had opted for a particularly destructive strategy:

Complete reset of RAID disks
Formatting of the external USB backup disk (USB COPY)
Deliberate compromise of Hyper Backup file integrity.

This aggressive approach was aimed ateliminating any possibility of recovery without ransom payment, illustrating a worrying trend where cybercriminals are now deliberately targeting data protection mechanisms, with complete control over the computer system.

Insufficient standard solutions

Before calling on our services, our customer had already gone through a whole series of conventional solutions.

Attempts with consumer software such as PhotoRec had yielded only partial and unusable results.

Escalation to Synology technical support, all the way to the top of the organization, had ended in an admission of powerlessness in the face of the severity of the damage. Even consultation with several local IT specialists failed to resolve the situation.

Despite this major mobilization of resources and skills, no viable solution emerged.

This was a particularly complex case, which went beyond standard recovery procedures, and required specialist skills in post-cyber-attack data recovery.

In-depth technical analysis

Our team received two items for analysis:

An image of the 1 TB external disk containing the Hyper Backup backups
One of the 4TB RAID1 disks formatted in BTRFS.

Initial examination revealed several major technical challenges:

Challenges related to the BTRFS file system

The BTRFS system, although robust and high-performance, has an architecture that makes it considerably more difficult to recover data in the event of corruption. Its structure, which separates metadata (file names, tree structure, attributes) from the data itself, can lead to a situation where files are recoverable, but without their organization or identifiers.

The complexity of the Hyper Backup format

Hyper Backup’s proprietary format, with its .bucket, .index, .bkpi and .hbk files, represents an additional layer of complexity. The backup also used advanced features such as compression, making access to data even trickier in the event of corruption.

Dual recovery methodology

To deal with this situation, our team adopted a two-stage approach:

1. Extraction from the RAID disk

Our first analysis focused on the 4TB disk configured in RAID1 with a BTRFS file system. We were able to extract files, which was good news in itself. However, we quickly identified a major limitation: file names and directory structure were lost.

This is typical of BTRFS recoveries after major corruption. This modern file system uses a fundamentally different approach to traditional systems, separating metadata (names, paths, dates, etc.) from the data itself. When metadata is corrupted, it is often possible to recover the raw data, but without its essential attributes.

Although technically successful, this approach would have required considerable time to reorganize and identify the files. For an architect needing rapid access to specific projects, this solution was not optimal.

2. Rebuilding Hyper Backups

Our second approach focused on the external backup disk. Analysis revealed around 580 GB of data in the form of proprietary Hyper Backup, .bucket and .index files.

.bucket .index files

.bkpi and .hbk files

But the official Synology Hyper Backup Explorer utility encountered recurring error messages such as “The data stored in the backup destination is corrupted.”

Data stored in backup destination is corrupted

or “File/folder partially copied or restored”.

File/folder partially copied or restored

This tool only managed to recover around 75 GB of data (i.e. 15% of the total) before encountering blocking errors.

Development of proprietary solutions

To get around this type of impasse, our engineering team implemented a solution developed in-house: our Synology Backup Extractor tool. This proprietary tool has been specially designed to deal with situations where official tools fail due to partial corruption of Hyper Backup backups.

Synology Backup Extractor by Recoveo

Technical analysis of the situation revealed several specific challenges:

Compression enabled: the backup used compression, a feature that optimizes disk space but significantly complicates recovery in the event of corruption.
Corrupted .bucket and .index files: these files form the architecture of the Hyper Backup, and their corruption compromises access to the underlying data.
Partial access with Hyper Backup Explorer: the official tool managed to recover around 75 GB of the 500 GB present, but regularly stopped with errors, displaying the message “Partially copied the file/folder”.

Our approach was to reconstruct the file and folder address mappings to bypass the corrupted metadata sections. This highly technical method required an in-depth understanding of the internal structure of Hyper Backup’s backup format, the fruit of our expertise in recovering data from NAS environments and more specifically from a Synology NAS.

The results

The intervention achieved particularly satisfactory results:

Recovery of all 580 GB of business data
Restoration of 411,000 files organized in over 79,000 folders
Complete hierarchical structure preserved
Preservation of original file names and attributes

For this architectural firm, the difference was vital: access to all their professional projects (plans, 3D renderings, contractual documentation) represented the safeguarding of several years’ work, as well as the continuity of their business.

Lessons learned and strategic recommendations

This intervention has enabled us to formulate several essential recommendations for the protection of professional data:

Advanced protection of backup devices

Cybercriminals now consider backup systems to be priority targets. It is therefore essential to take the following measures:

physically disconnected backups (air gap)
Read-only media
Reinforced authentication for access to backup systems
Scheduled back-up integrity checks

Application of the 3-2-1 strategy

This situation perfectly illustrates the relevance of the 3-2-1 rule:

3 independent copies of your data
On 2 different types of media
Including 1 copy stored off-site

In our customer’s case, the external backup was connected to the main system, making it vulnerable to the same attack – a common configuration that can be exploited by hackers.

The importance of specialized solutions

This intervention demonstrates the need for highly specialized recovery tools in the face of modern attacks. Consumer software and even manufacturers’ official tools show their limitations in complex situations involving :

Advanced file systems (BTRFS, ZFS, ReFS)
proprietary backup formats
Intentional corruption by malware

Critical expertise in the face of evolving threats

The growing sophistication of cyber-attacks, now specifically targeting backup mechanisms, makes an expert approach to data recovery essential.

This ransomware data recovery case demonstrates that even in situations that conventional tools consider irrecoverable, solutions exist thanks to advanced technologies and specialized data recovery expertise.

For businesses and professionals using Synology NAS or other advanced storage solutions, this feedback underlines the importance not only of a robust data protection strategy, but also of having identified partners with the technical capabilities to intervene in the event of a major disaster.

Need help with your Synology NAS?

If you encounter a similar situation with a compromised Synology NAS or corrupted backups, our team of ransomware data recovery experts is available to assess your situation.

Our emergency response team is available 24/7 for critical situations requiring immediate intervention.

We’re on hand to resolve even the most complex ransomware attacks.

Contact our experts

L’article Data recovery after ransomware attack on Synology NAS: Retex est apparu en premier sur Recoveo.

What to do in the event of a cyber attack: tips and best practices

fchassignol — Fri, 15 Mar 2024 19:59:15 +0000

Cyber attacks have become a daily reality, affecting both individuals and businesses with alarming frequency and sophistication. The threat of these digital attacks has never been more pressing than today, as our lives and economies become increasingly interconnected. Cyber attacks can take many forms, from phishing to ransomware to attacks on critical infrastructures, and can have sometimes disastrous consequences. So how do you deal with a cyber attack? What reflexes should you adopt to protect your data and secure your IT systems?

Definition of a cyber attack

A cyber attack is a threat aimed at exploiting the vulnerabilities of a computer system (computer, server, network) to carry out a malicious act. This may involve unauthorized access to confidential information, data theft, remote control, malware propagation or online account hacking. Behind these attacks are often individuals or organized groups, commonly referred to as “pirates” or “hackers”, who may be motivated by a variety of objectives, ranging from financial gain to the simple pursuit of notoriety, to more malicious intentions such as industrial espionage or sabotage.

These digital threats exploit technical vulnerabilities, but can also take advantage of human or organizational weaknesses, such as a lack of IT security awareness. A cyber attack can compromise the security of data and critical infrastructures, cause prolonged service interruptions and expose the company to the risk of legal disputes. It can also compromise the confidentiality of personal and business information, lead to significant financial losses, and damage the trust of customers and partners.

Consequences for individuals and businesses

For private individuals, a cyber attack can cause serious problems: identity theft, fraudulent transactions, loss of personal data (photos, videos, e-mails), even infiltration of connected home equipment (surveillance cameras, thermostats, etc.).

Companies, for their part, face even greater risks in the event of a cyber attack: complete or partial business stoppage, financial losses (theft, fraud), damage to reputation, leakage of confidential information (customer data, industrial secrets) or failure of protection systems.

What to do in the event of a cyber attack

If you are the victim of a cyber attack, whether you are a private individual or a company, here are some good reflexes to adopt:

What to do in the event of a cyber-attack on your business?

When a company, small business or SME, is faced with a cyber attack, the speed and effectiveness of the response is crucial to minimize damage and disruption. Here are the key steps to follow:

Immediately disconnect the machine from the network to limit the spread of the attack. This includes disconnecting the network cable, Wi-Fi and mobile data.
Keep the device switched on to avoid losing evidence essential to future investigations.
Alert IT support or the Information Systems Security Manager (ISSM) without delay, so that they can take the necessary action.
Stop using compromised equipment to avoid deleting important traces.
Inform colleagues to prevent actions that could aggravate the situation.

In addition to these immediate measures, in France, for instance, it is imperative to file a complaint within 72 hours of discovering the attack, in accordance with the French Ministry of the Interior’s Loi d’Orientation et de Programmation (LOPMI) in force since April 24, 2023. This filing of a complaint is a sine qua non condition for companies to be able to claim compensation from their insurer, if such a policy has been taken out.

How do you react to a cyber attack as an individual?

If you’re a private individual and find yourself under cyber attack, acting quickly can go a long way to minimizing the damage. Here are the steps you can take to secure your information and limit the spread of the attack:

Immediately disconnect your devices from the network to prevent the threat from spreading. This can involve your computer, your smartphone, but also your connected objects that could be compromised, such as your surveillance camera or thermostat.
Identify the type of attack you’re under. Cyber attacks can take many forms, from computer viruses and phishing to ransomware. Recognizing the type of attack will help you determine the specific measures you need to take.
Contact professional IT support if necessary. Getting help to technically manage the incident can be crucial to recovering your data or securing your systems.
Change all your passwords, starting with those for the most sensitive accounts, such as e-mail, online banking and social networks. Opt for strong, unique passwords for each account.
Inform those around you about the attack, so that they too can be vigilant. Cyber attacks can sometimes spread through networks of contacts, so it’s important to warn family, friends and colleagues.

How to prevent cyber attacks

Although it’s impossible to completely protect against cyber attacks, there are several measures you can take to reduce the risks:

1. Make sure you use an effective security system

To protect your computer and your data, install high-quality antivirus software and keep it up to date. Make sure you activate a firewall and configure your browser’s security options correctly.

2. Update your software regularly

Updates are essential to correct security flaws in your computer systems, especially operating systems (Windows, MacOS) and Internet browsers. So don’t forget to carry out updates as soon as they become available.

3. Be vigilant against phishing attempts

Le phishing est une technique utilisée par les pirates pour tromper les internautes en leur faisant croire qu’ils communiquent avec un site officiel ou une entreprise fiable et obtenir ainsi leurs identifiants et mots de passe. Phishing is a technique used by hackers to deceive Internet users into believing that they are communicating with an official site or a reliable company, thereby obtaining their logins and passwords. Avoid clicking on suspicious links in e-mails, and learn to recognize the signs of a fraudulent e-mail. If in doubt, contact the company directly.

4. Adopt good password practices

Use complex, unique passwords for every account you have (email, social networks, e-commerce sites…). Change them regularly, and don’t hesitate to use a password manager to help you remember them safely.

5. Raise awareness among your employees and friends

In the workplace, training and raising awareness of cybersecurity risks is essential. You can set up in-house training programs or call on the services of specialized organizations. For private individuals, find out about the dangers that exist, and tell your friends and family about them.

In the face of a cyber attack, it’s best to keep calm and adopt the right reflexes to limit the damage. However, prevention remains the best weapon for protecting against these threats: updating computer systems, being vigilant in the face of phishing attempts, raising awareness among those around you… It’s a constant effort, and the challenges are evolving as rapidly as the technologies themselves. So let’s stay alert and implement best practices to ensure our digital security.

L’article What to do in the event of a cyber attack: tips and best practices est apparu en premier sur Recoveo.