How to recover virus affected MDF files?

This is the Guest post by my friend and SQL Server DBA Andrew Jackson

Where there is increase in technology, there is also addition of new computer threats in the list of virus attacks. One such threat is Ransomware. This is a type of malicious virus designed to encrypt files of victim’s machine until and unless a certain amount of money is not paid for decryption. When any encrypted file is having .wallet extension with it, this means that a standard Ransomware pattern is used by the attacker whose major aim is to force victim to pay the ransom.

What Is Ransomware Wallet Virus ?

It is a form of Ransomware attack that enters into one’s computer and encrypts few data files, which are stored on it. This encryption makes file unreadable on different existing programs of the local machine that means users will be unable to open or access such files. The Wallet Ransomware is most common Trojan type, infecting a machine where files of the victim gets encrypted and victim has to pay the con artist, who is hidden behind Wallet Ransomware attack for decrypting files. Paying con artists their desired amount is not a solution for the problem because it is not guaranteed that they will definitely decrypt file after getting money.

This attack uses an asymmetric cryptography technique for encryption in which the file-encoder appends ‘.wallet’ extension with the name of each encrypted file. The asymmetric cryptography technique involves generation of two keys i.e., public key for encryption and a private key for decryption. The private key is located on the remote server by developers therefore, only known to the attacker. A certain amount of money is demanded by cyber criminals for purchasing this private key. A Dharma’s text file comprises of a very short message pointing out the fact that the victim’s machine is unprotected, and users need to resolve the problem by restoring encrypted files.

A common way of executing this threaten activity is by being included in corrupted email attachments. The money requester or attacker will send an email message, which seems as if it is sent by a known user. By opening attachment of the mail, one is going to invite a threat i.e., Wallet Ransomware on their machine. This is the reason why email users are said to be extra conscious while opening emails on their machine.

Tip: One should keep in mind following two safety tips to avoid a bitter situation affecting you and your wallet:

  • Properly authenticate the email sender entity before opening any attachment
  • Timely create backup of your data to completely avoid Ransomware infection

Instead of ignoring problem for the time being, one should eliminate Wallet Ransomware from their machine right away. Therefore, in following section, we are going to learn a .wallet ransomware removal technique from the SQL Server database files.

Recover Affected MDF Files From Wallet Ransomware Virus

Consider a following scenario:

On my PC, the Ransomware attack is caused in the folder where I have placed all the database files i.e., MDF files with their associated LDF files. The files are encrypted with .wallet file extension and the only solution left is to restore files from a healthy backup. Unfortunately, I am not having backup of the databases on a separate machine and am feeling helpless to resolve my problem. Please someone help me out!!

In such scenario, SQL server users can go with the below-explained solution for starting recovery of affected MDF files:

  • Open Run prompt window on your machine by pressing Windows + R key and type msc command. Press Enter to continue
  • Select SQL server service and then right click on it. Hit on Stop button for terminating the SQL server service
  • Navigate towards the location where the server saves its entire database files i.e., primary, secondary, and log files. For example: location of the database files in SQL server 2014 is C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\
  • Choose the MDF files that are encrypted in .wallet extension and then rename it with .mdf file extension
  • Copy and locate the affected MDF files into a healthy system where similar/upgraded edition of the SQL Server is pre-installed
  • Now its time to recover data from affected files in healthy state. Therefore, launch free version of SysTools SQL Recovery software on a healthy systems1
  • Hit on Open button for selecting the affected MDF files from machine


  • As per the convenience, either choose Quick or Advance scan mode and then select the version of SQL server from which MDF file is created. If in case you do not know the version then, enable Auto detect SQL server file (.mdf) version option


  • After loading file successfully into SysTools SQL recovery software, the scanning procedure will get started. At this stage, tool will recover data from affected MDF file and after completion of the scanning procedure, application will generate a scanning report of available database objects in that file


  • Entire data of affected MDF file will get loaded on the preview window of recovery tool where you can take look on complete data including tables, triggers, views, etc.


Note: once the tool previews the database objects like Table, Trigger, Views, Stored Procedures, Functions etc of affected database file then one can go with the export option by purchasing the full licensed version of the tool.


It is a recommendation to the software user that they should implement above procedure on a healthy system with live SQL Server platform. One will definitely be able to regain the database from MDF files, which were affected from Ransomware attack. The solution will prove itself an helpful approach to recover the database from an encrypted .wallet files.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s