Recovery Corner: 24 Hour Restore After a Stalled Recovery
Ransomware Recovery: A Strategic Failback Case Study
In August, a large disaster recovery (DR) customer faced a ransomware attack that compromised their primary data center. They required immediate workload restoration to maintain business continuity. Stage2Data moved the customer’s environment to its hosting infrastructure, maintaining operations while the client rebuilt their data center on new hardware.
Rapid Response
Immediate workload restoration
Clean Recovery
Stable, trusted recovery
NRaaS™
Native user connectivity
The environment remained clean and functional throughout the five-month recovery period. Once the customers on-site hardware refresh was complete, Stage2Data assisted the controlled failback and the reestablishment of replication in order to maintain ongoing DR protection.
The Challenges and Objectives
The customer faced a mix of technical pressure and practical constraints. The recovery strategy required us to restore service rapidly, maintain user productivity, and avoid unstable access methods.
Key challenges and objectives included:
Radpid Response
Bringing core systems online within a secure recovery environment with verified controls.
Extended Hosting Support
Providing a stable platform from August through January while the client procured and configured new hardware.
Addressing Data Gaps
Managing virtual machines (VMs) that were not part of the initial replication set at the time of the attack. These were workloads the client later identified as necessary to resume normal operations.
Bandwidth Management
Planning for the transfer of terabytes of data over limited links.
Network Identity Preservation
Maintaining network access that mirrored normal operations, avoiding additional configuration. Stage2Data supported this through NRaaSTM, extending the client’s network into the recovery environment so users and applications could connect normally as though the environment was still on site.
The Solution
Stage2Data ran the recovery as a sequence of clear steps, with each step reducing risk and setting up the next one. The approach covered:
Managed Failover
Stage2Data hosted the client’s environment in its data center for five months. This gave the client the necessary time to rebuild their stack without rushing the process.
Archive Restores via Cohesity
When the client identified missing VMs, the Stage2Data team restored them from archived backups. This bridged the gap without slowing the recovery of the primary systems. This let the team bring required systems online even though they were not part of the original replicated VM set
Network Extension
Stage2Data extended the client’s network into its DR environment. This allowed workloads to keep their network identities, simplifying user access, and reducing reliance on VPN-only patterns. Instead of forcing access through a public IP and VPN-only model, the recovery environment behaved like an extension of the client’s existing network.
Zerto-Led Failback
Once the new hardware was ready, the team used Zerto to replicate data back to the client’s site. Stage2Data supported a phased return to a customer’s data center and confirmed that replication resumed in the correct direction for future safety.
“Stage2Data acted as a dedicated partner throughout our recovery. We required a stable environment to host our workloads for five months while we rebuilt our systems. Your team managed the failover and the final failback with technical precision, maintaining our operations throughout the process.”
— Director of IT Infrastructure
Results
The recovery delivered stability first, then a controlled return to the customer’s rebuilt environment. Outcomes included:
1. Stable Hosted Operations
The customer ran in Stage2Data’s data center from August through mid-January without platform issues reported during the hosted period.
2. Meaningful Scale Supported
At peak, Stage2Data hosted roughly over 50TB worth of systems in its DR environment.
3. Predictable Path Back to Normal
The customer began failing workloads back after its hardware refresh, with replication re-established, so Stage2Data returned to the secondary DR role.
4. Cost Accounted for in Service Delivery
Archive restores and additional hosted workloads were handled through hosting fees tied to the recovered machines, keeping the commercial model clear during an extended recovery window.
Looking Ahead
With the hardware refresh complete, the focus moves to the final transfer of operations back to the client’s site. Stage2Data will confirm that replication flows correctly from the new primary data center to the recovery environment. This return to the original configuration marks the end of the emergency response. The client enters this next phase with verified protection and a disaster recovery strategy tested in a real-world scenario.
