none
Volume Shadow Copy Service deleted after ransomware attack - Backup no longer working RRS feed

  • Question

  • Hi

    I have a server running SBS server 2008 with exchange server 2007

    Earlier this week the server was compromised by a ransomware attack.

    The antivirus software on the server was removed from the server by the attack.

    I managed to login to the server early enough to stop all files becoming encrypted. 

    I was able to restore most files from the shadow copy which had just completed about an hour before the attack. 

    I ran antivirus scans and though I had found and removed the virus but I think it was still working in the background somehow.

    When I logged into the server the next day the shadow copies were all gone and also the windows server backup was not working anymore. It looks like the attack has completely disabled/deleted these items so that we cannot restore the server.

    I noticed that Shadow copies were no longer working and also volume shadow copy service was missing from services.

    If I run VSSAdmin List Writers I am getting a Unexpected Failure - catastrophic failure message.The same if I run Windows Server backup (Catastrophic Failure)

    I have tried to re register DLL's as mentioned in other posts. I have also tried to copy the VSS registry from another server and imported into this server. This would not work until I deleted the VSS registry setting from the compromised server and then imported.Also ran SFC.

    After doing all of these the Volume Shadow copy service is still not showing in services so I cannot do any more backups.

    I have backup drives but the latest backup is now about 1 week old.

    What would my option now be ot get the backup working again.

    Is there anyway to rebuild/reinstall the VSS Service and shadow copies. (even to copy files from another similar server)

    Can I retrieve the registry that was in state before the attack from the backup drive and copy to the server.

    Should I perform a restore from the backup drive , however as Exchange is on e the server I would need to backup the mailbox database otherwise we would lose 1 week of email data.

    Any advise/suggestions would be appreciated as i need to get backup and shadow copies working again in case of a repeat attack.

    Thanks

    Saturday, July 20, 2019 5:41 AM

All replies

  • Hi,

    > Is there anyway to rebuild/reinstall the VSS Service and shadow copies. (even to copy files from another similar server)
    As far as I know, there is no specific way to repair or re-install it.

    In general, we can use “sfc /scannow”, or repair installation via installation medium to check/repair system files.

    If problem persists. Re-build the system would be recommended. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 7:13 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang     

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 24, 2019 8:21 AM
    Moderator
  • Hi, 

    I did try sfc /scannow but this did not resolve the problem. 

    Is there no way to copy files from another machine , rather than having to rebuild the system.

    Is it possible to reinstall Windows SBS Server over the top of the existing installation so that it replaces the corrupt files.

    Thanks

    Wednesday, July 24, 2019 8:35 PM
  • Hi,

    System re-installation might be necessary if SFC and system restore is not helpful. If you want to keep current file and configuration, migration can be considered. 

    If it is the only one server device on your environment, you may build a VM as intermediate conversion:
    Build SBS on the VM -> migrate from problematic SBS to VM -> re-install original SBS -> migrate back from VM to SBS.

    Please note that, system health is one of pre-requirements for successful migration. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 25, 2019 6:32 AM
    Moderator
  • Hi,

    Is there any update?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 29, 2019 7:01 AM
    Moderator