- 
				StephenMok
- Lurker
- Posts: 2
- Liked: 1 time
- Joined: Apr 14, 2022 9:14 am
- Full Name: Stephen Mok
- Contact:
Ransomeware attack
The Veeam backup server is encrypted by ransomeware, however, lucky that the backups repository are not encrypted.
Would it be possible to build a new Veeam server to restore those backups? What do we need to restore them? provided that the old AD service is not existed.
Thank you
			
			
									
						
										
						Would it be possible to build a new Veeam server to restore those backups? What do we need to restore them? provided that the old AD service is not existed.
Thank you
- 
				wishr
- Veteran
- Posts: 3077
- Liked: 455 times
- Joined: Aug 07, 2018 3:11 pm
- Full Name: Fedor Maslov
- Contact:
Re: Ransomeware attack
Hi Stephen,
Welcome to Veeam R&D Forums and sad to hear you have faced that situation.
Do you have a configuration backup? If so, you may install VBR to whatever machine you have, restore configuration database and then start restoring your data.
If you don't have it, you may spin up a new VBR server and add the existing repository there, then restore the data. You may need to do a repository re-scan to get the backups appear in the console.
Another way is to use Extract Utility - in this case, you don't need to have a backup server at all.
Thanks
			
			
									
						
										
						Welcome to Veeam R&D Forums and sad to hear you have faced that situation.
Do you have a configuration backup? If so, you may install VBR to whatever machine you have, restore configuration database and then start restoring your data.
If you don't have it, you may spin up a new VBR server and add the existing repository there, then restore the data. You may need to do a repository re-scan to get the backups appear in the console.
Another way is to use Extract Utility - in this case, you don't need to have a backup server at all.
Thanks
- 
				soncscy
- Veteran
- Posts: 643
- Liked: 314 times
- Joined: Aug 04, 2019 2:57 pm
- Full Name: Harvey
- Contact:
Re: Ransomeware attack
If you also handled DNS with your AD, you might need to temporarily do some hosts file edits also to handle resolution until you get DNS up and running again, just pointing it at the virtualization environment's current IP.
			
			
									
						
										
						- 
				StephenMok
- Lurker
- Posts: 2
- Liked: 1 time
- Joined: Apr 14, 2022 9:14 am
- Full Name: Stephen Mok
- Contact:
Re: Ransomeware attack
Thank you guys, we finally found some of our repositories were encrypted too, we are looking for some service can decrypt lockbit 2.0 now
			
			
									
						
										
						- 
				micoolpaul
- VeeaMVP
- Posts: 387
- Liked: 157 times
- Joined: Jun 29, 2015 9:21 am
- Full Name: Michael Paul
- Contact:
Re: Ransomeware attack
Hi Stephen,
Have you engaged with Veeam support? They have a team that focus on ransomware response. They won’t be decrypting lockbit but they could help try to identify any functional backups etc.
If this is your first dealing with ransomware, it’s good to get some expert support alongside you.
			
			
									
						
							Have you engaged with Veeam support? They have a team that focus on ransomware response. They won’t be decrypting lockbit but they could help try to identify any functional backups etc.
If this is your first dealing with ransomware, it’s good to get some expert support alongside you.
-------------
Michael Paul
Veeam Data Cloud Solution Engineer - M365 & Entra ID
			
						Michael Paul
Veeam Data Cloud Solution Engineer - M365 & Entra ID
- 
				wishr
- Veteran
- Posts: 3077
- Liked: 455 times
- Joined: Aug 07, 2018 3:11 pm
- Full Name: Fedor Maslov
- Contact:
Re: Ransomeware attack
Hi Stephen,
+1 for involving our ransomware response team.
I wanted to say that your case highlights the importance of following the 3-2-1-1-0 rule...
Thanks
			
			
									
						
										
						+1 for involving our ransomware response team.
I wanted to say that your case highlights the importance of following the 3-2-1-1-0 rule...
Thanks
- 
				Helper1
- Lurker
- Posts: 1
- Liked: never
- Joined: May 02, 2023 9:05 pm
- Full Name: Helper1
- Contact:
Re: Ransomeware attack
Hi Stephen, 
We too were unfortunately hit with LockBit 2.0 but recovered (not decrypted) over 95% of .vbk files (unfortunately not .vib files) - can share how we did it if this would help you - don't want anything in return.
			
			
									
						
										
						We too were unfortunately hit with LockBit 2.0 but recovered (not decrypted) over 95% of .vbk files (unfortunately not .vib files) - can share how we did it if this would help you - don't want anything in return.
Who is online
Users browsing this forum: Gostev and 92 guests