locked
Backup Restore from Ransomeware? RRS feed

  • Question

  • Hello TECH GODS,

    I have a client's who has Windows 2008 Small Business Server that I enabled backup on and selected an external Seagate 5TB hard drive as backup.  It apparently made about 15 Backups before it got a Double encryption Ransomeware on the server making it unusable.  Not sure if it effected the back up HD?

    I am currently trying to install a new version of Windows 2008 Enterprise Server R2 (Trial version) on a different computer now.

    Is it possible to Restore before the Ransomware attack?

    Even if it's a week prior to the event date? and recover files?

    ANY HELP WOULD BE AMAZING!  THANK YOU in advance TECH GOD's.

    Aaron

    Wednesday, June 1, 2016 7:18 PM

Answers

  • It all depends on whether or not the backup was also encrypted. All you can do is try to do a restore. Connect the backup drive to the new clean server, run your backup software doing a restore of all of the data from a time prior to the data encryption and cross your fingers.

    Some Ransomeware does encrypt data on the attached backup drives as well. Because of this I have been setting up my backups to use UNC paths that require credentials and the backup has to perform authentication at the time of backup. 

    Good luck!



    Please remember to select Mark as Answer if someone provides the answer or mark as helpful if the response helps to lead you in the right direction.

    Wednesday, June 1, 2016 7:36 PM
  • Hi,

    Agree with LhkingVT, SBS is designed to be backed to an external disk, which can protect the backup files once the main system is crash/attached to a certain extent.

    If the backup still available, try -  How to Perform a Bare Metal Restore on Small Business Server 2008:
    https://blogs.technet.microsoft.com/sbs/2010/06/11/how-to-perform-a-bare-metal-restore-on-small-business-server-2008/

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, June 2, 2016 9:50 AM

All replies

  • It all depends on whether or not the backup was also encrypted. All you can do is try to do a restore. Connect the backup drive to the new clean server, run your backup software doing a restore of all of the data from a time prior to the data encryption and cross your fingers.

    Some Ransomeware does encrypt data on the attached backup drives as well. Because of this I have been setting up my backups to use UNC paths that require credentials and the backup has to perform authentication at the time of backup. 

    Good luck!



    Please remember to select Mark as Answer if someone provides the answer or mark as helpful if the response helps to lead you in the right direction.

    Wednesday, June 1, 2016 7:36 PM
  • Hi,

    Agree with LhkingVT, SBS is designed to be backed to an external disk, which can protect the backup files once the main system is crash/attached to a certain extent.

    If the backup still available, try -  How to Perform a Bare Metal Restore on Small Business Server 2008:
    https://blogs.technet.microsoft.com/sbs/2010/06/11/how-to-perform-a-bare-metal-restore-on-small-business-server-2008/

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, June 2, 2016 9:50 AM
  • Hi,

    You don't say if shadow copies/previous versions were enabled prior to the encryption or if the ransomware removed them.  To test, pick a folder that has encrypted files, right click and see if previous versions are available.  If so, you may be able to restore "yesterday" from them.


    Larry Struckmeyer [MVP]-- --If your question is answered please mark the response as the answer so that others can benefit.

    Thursday, June 2, 2016 11:06 AM