Your entire data environment disappears overnight — what do you do?
That was the nightmare scenario for one of Stage2Data’s clients when an intruder hijacked its Zerto console, deleting not only the client’s local production environment and severing the connection between their two sites, but also the associated Virtual Protection Groups (VPGs) stored in Stage2Data’s S3 compatible cloud environment.
Stage2Data jumped in, using Zerto’s long-term retention (LTR), Extended Journal Copies (EJC) and local, immutable snapshots to restore critical servers in less than an hour and their entire environment within a few hours
LTR
Long Term Retention
EJC
Extended Journal Copies
Snapshots
Local, Immutable Snapshots
Freed from paying ransom or losing vital data, the client switched focus to future-proofing IT setup. This case study shows how rapid disaster recovery can save more than just data—it preserves customer confidence and business momentum. By deploying locked backups and a dependable hosting partnership, the client shifted to a more resilient model and emerged stronger. Their experience underscores one truth: fast, reliable protection can be the difference between a crisis and a comeback.
A Catastrophe Waiting to Unfold
A client in the United States fell victim to a cyberattack in which an intruder gained admin-level access to its infrastructure. At around 4:00 AM, the malicious actor deleted not only the local Zerto setup, thereby severing the client’s connection to Zerto between the two sites, but also the associated VPGs stored in a cloud environment. The attacker had enough knowledge of Zerto to remove entire replication groups and hamper any standard restoration.
This action posed a huge problem for the client. Losing local servers is bad enough, but losing off-site copies means your fallback plan is also gone. The intruder aimed to force a ransom payment by taking away every restoration option. Since the client’s direct path to recovery vanished, the odds of retrieving data without paying the ransom looked grim. With the main environment sabotaged, the only remaining question was whether there was an extra layer of security that the intruder couldn’t touch.
“Our entire business hinged on ensuring data was always at our fingertips. The idea of paying a ransom felt impossible. We knew that if we lost access to our data for even a few hours, our employees wouldn’t be able to serve our customers, and we’d lose trust in the market.”
Stage2Data’s client Head of Information Technology
The Day Saved – Purpose-Built Object Storage with LTR
Fortunately, as part of their client’s cloud solution (and overall disaster recovery plan) Stage2Data added archival storage to their S3 storage, creating an air-gapped long-term backup that the hackers couldn’t touch. This storage design includes “object locking,” with immutable snapshots. Once written, these snapshots cannot be removed or changed for the duration that the retention policy specifies.
By storing these backups locally, the recovery process could begin without downloading huge files from a remote third-party provider. The technical team used the local, locked snapshots to restore critical servers. It was a quick pivot: the standard replication path in the VMware environment had been wiped, so the team tapped into the LTR and EJC snapshots instead.
Speedy Recovery Tactics
Since the storage was already in Stage2Data’s network, there was no waiting for data transfers from outside servers. A direct copy of the necessary virtual machines (VMs) was instantly available, so the restore started right away. Testing to see if data was malware-free required some steps, but the first group of servers was up in about an hour. The approach involved spinning up the client’s systems on Stage2Data’s own infrastructure, free from any taint left behind by the attacker. This move bypassed the compromised local network and let the client’s workforce get back to work in a clean virtual environment.
Stage2Data also utilized its proprietary Network Recovery-as-a-Service (NRaaS)™ solution to fail over the client’s internal intrusion prevention system (IPS) and their internet-facing IP addresses. NRaaS™ allowed Stage2Data to quickly pull from the client’s selected recovery point objective (RPO) and recovery time objective (RTO) points. Then, using Zerto, Stage2Data took the virtual machine disks (VMDKs) and system files, and restored the VMs to the way they were at the time of the recovered snapshot. This allowed the client to stay on the same DNS while spinning up systems in a secure environment.
Post-recovery Transition to IaaS
Once the client had a functioning environment again, it decided to move their entire hosting to Stage2Data. The technical environment at the client site was compromised, and the Stage2Data infrastructure performed well under pressure, so it made sense to bring their entire cloud infrastructure across. The client saw that handling a rebuild in a new environment reduced exposure to future threats. By moving to Stage2Data’s Infrastructure-as-a-Service (IaaS) solution, the client gained an outsourced hardware solution and a more predictable monthly cost model for compute, storage, and networking.
They also realized the DR site ran on NVMe-powered systems, offering enhanced performance compared to their legacy infrastructure. This layered approach – combining Zerto’s software-based replication and LTR features with Stage2Data’s local object storage – addressed the challenge. One standard backup system got destroyed, so the last line of defence emerged from snapshots the attackers could not remove.
“We were then able to, within the hour, have servers back up and running for our secondary recovery path. If we didn’t have LTR and local object storage local, that wouldn’t have been feasible. The attackers knew Zerto well enough to delete the primary path, so having a locked backup off that path saved the day.”
Head of Information Technology at the customer.
Results
The outcome of the recovery effort stands as a strong example of thoughtful preparation and swift action. Stage2Data and Zerto’s synergy led to multiple benefits:
1. No Ransom Paid
The client did not pay any ransom. By relying on immutable snapshots, the team had a reliable way to restore vital data. This meant the client had no reason to negotiate with criminals or risk paying for a decryption key that might not even work.
2. Fast Restoration
The first group of servers were brought online about an hour after the internal systems triggered an alert that something was wrong. Since the object storage was already in Stage2Data’s cloud, there was no need to wait for data transfers from a third-party object storage provider. A direct copy of the necessary VMs was instantly available, so the restore started right away. That meant minimal disruption, a key factor when every minute of downtime can hurt.
3. Protected Long-Term Retention
Zerto’s LTR, EJC, and Stage2Data’s locked object storage proved to be the difference-maker. Even with the standard replication path destroyed, the extra layer of backups stood firm. This was a vital demonstration of how multi-layered data protection can rescue an organization from permanent losses.
4. Smooth Transition to IaaS
After the event, the client made the decision to keep running workloads in Stage2Data’s environment. By shifting to Infrastructure-as-a-Service, the client moved away from local hardware that was already compromised. Thanks to NVMe-powered infrastructure, they can now embrace a fully managed platform that boosts performance and provides peace of mind.
5. Strengthened Defensive Posture
The entire incident highlighted the value of advanced threat detection and alerts. Stage2Data’s internal alert system caught the intruder’s activity in the middle of the night. This early warning meant the team could address the problem before the intruder could do more damage.
Looking Ahead
That was the nightmare scenario for one of Stage2Data’s clients when an intruder hijacked its Zerto console, deleting not only the client’s local production environment and severing the connection between their two sites, but also the associated Virtual Protection Groups (VPGs) stored in its AWS cloud environment.
Stage2Data jumped in, using Zerto’s long-term retention (LTR), Extended Journal Copies (EJC) and local, immutable snapshots to restore critical servers in less than an hour and their entire environment within a few hours.
