Ransomeware attack

[StephenMok]

The Veeam backup server is encrypted by ransomeware, however, lucky that the backups repository are not encrypted.
Would it be possible to build a new Veeam server to restore those backups? What do we need to restore them? provided that the old AD service is not existed.
Thank you

[wishr]

Hi Stephen,

Welcome to Veeam R&D Forums and sad to hear you have faced that situation.

Do you have a configuration backup? If so, you may install VBR to whatever machine you have, restore configuration database and then start restoring your data.
If you don't have it, you may spin up a new VBR server and add the existing repository there, then restore the data. You may need to do a repository re-scan to get the backups appear in the console.

Another way is to use Extract Utility - in this case, you don't need to have a backup server at all.

Thanks

[soncscy]

If you also handled DNS with your AD, you might need to temporarily do some hosts file edits also to handle resolution until you get DNS up and running again, just pointing it at the virtualization environment's current IP.

[StephenMok]

Thank you guys, we finally found some of our repositories were encrypted too, we are looking for some service can decrypt lockbit 2.0 now

[micoolpaul]

Hi Stephen,

Have you engaged with Veeam support? They have a team that focus on ransomware response. They won’t be decrypting lockbit but they could help try to identify any functional backups etc.

If this is your first dealing with ransomware, it’s good to get some expert support alongside you.

[wishr]

Hi Stephen,

+1 for involving our ransomware response team.

I wanted to say that your case highlights the importance of following the 3-2-1-1-0 rule...

Thanks

[Helper1]

Hi Stephen,
We too were unfortunately hit with LockBit 2.0 but recovered (not decrypted) over 95% of .vbk files (unfortunately not .vib files) - can share how we did it if this would help you - don't want anything in return.