Many businesses have suffered ransomware attacks and had their data encrypted. Some have paid the ransom to decrypt their data because they couldn’t restore data within a reasonable timeframe (or at all). It is an IT provider’s job to know how to restore data and make sure their client can get back to production.

 There are many different ways to restore operations following a ransomware attack. Below is a list of assumptions to narrow down the ways to get back to production with the steps listed. Let’s get started.

Assumptions:

  1. The affected server is a Windows 2008 file server.

  2. Most of the files existing on the server are encrypted.

Let’s Restore: 

  1. Clean out the network and every endpoint of any ransomware

  2. On the file server, download and install the Direct Restore Utility

  3. Choose the latest restore point that was not infected and let the Direct Restore Utility create an iSCSI mountpoint on the file server to the recovered information.
    NOTE: The Datto Web UI identifies which snapshots likely contain ransomware

  4. Once mounted, open command prompt.

  5. Use Robocopy to sync only new/updated files to the destination.
    NOTE: I usually recommend adding /z /fft /w:5 /r:5 /MIR and /copyall for specific options.

  6. Once the copy is complete, verify all the necessary data is there

  7. Close the iSCSI mountpoint.

You don't always need to do a virtualization to restore the data. Look for the path of least resistance to get the client environment back up to speed. In this case, there was no “outage” per se, there was, however, data loss. Virtualization would likely be a time-consuming process to restore production because you would also have to deal with bootability. The server already boots...so, move on to replace the lost data. 

There are numerous different ways to restore a server from ransomware, let me know other ways in the comments!