USA: +1 888 900 4529
UK: +44 800 088 5522

Recovering Affected .mdf Files From Ransomware Attack


The SQL database files become unusable due to ransomware (lockbit 2.0, lockfile, .arrow, .dharma, .fair, .mado, 360 ransomware, .wallet, etc) attack on the victim's system and encrypted.


In such scenario the SQL Server User will not be able to access his/her database. To regain the access on the database, one can go with the below solution to start recovery of affected .mdf files.

Steps to Recover Data from Affected .mdf Files

  • Press Windows + R and type services.msc and click Ok to check running Services on your system.
  • Select SQL Server service and right click on it, then click on Stop to Stop SQL Server service ( By stopping SQL server service you will be able to copy or select your affected .mdf files from the default location.)
  • Now, Go to the default location where SQL Server contains all the primary, secondary and log files.

Note : SQL Recovery Tool works almost with all ransomware attacked SQL databases, but as this is a case of recovery, it cannot be predicted. That is why we provide a trial version to verify the possibilities of recovery before purchase. The licenced version of our tool will export all these tables and records that can be seen in the preview of the trial version, so it is highly recommended to test the trial version with the same database that you want to recover.

For example:

we can see the default path of database files (.mdf,.ndf,.ldf) in SQL Server 2014, where all the .mdf database files are located with their associated .ndf and .ldf database files:

C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\

  • Select the .mdf files which are encrypted into .wallet extension and then rename the .wallet extension into .mdf extension.
  • Copy and place that .mdf files into a healthy system where the similar or upgraded version of SQL Server pre-installed.
  • Now, Launch the Demo version of SysTools SQL Recovery in a healthy system.

  • sql recovery
  • Click on Open to select the affected .mdf file from the placed location.

  • open mdf file
  • After selecting the affected .mdf file, Software will ask you for Quick or Advance scan and then you need to select the SQL Server version of that .mdf file from the given options or you can auto detect the version of that .mdf file by clicking on Auto detect SQL Server file (.mdf) version.

  • scan mode
  • Once the file is successfully loaded into SysTools SQL recovery, the Next scanning process will recover the data from affected .mdf file and after completion of scanning process software will generate the scanning report of available database objects in that file.

  • scanning process completed

Note: Once the affected .mdf file successfully scanned and Software previews the .mdf file objects like Tables,Trigger,Views,Functions etc then one can go with further export option by purchasing the full version of SysTools SQL Recovery.

export mdf data

PS: It's highly recommended to perform above action on a healthy system with live SQL Server environment to recover database from affected .mdf file using SysTools SQL Recovery Tool.