commvault.com commvault.com
Solved

MediaAgent recovery after a ransomware attack

  • 31 January 2022
  • 1 reply
  • 346 views
Juergen
Rank
Userlevel 3
Badge +8

Hello,

we have ransomware protection enabled on our Media Agents!  But in case of attack we can lost the MediaAgent OS and don’t have access to the Libraries. MediaAgents have local disks for Disk Libraries

What kind of backup should I have to recover quick a MA from a different MA, without lost the backup data on the local disks on the impacted MediaAgent?

What is the fastest restore, 1 touch non interactive will clean all disks first?

We running V11SP24.25, MediaAgents are Dell servers.

 

Thanks 

Juergen

icon

Best answer by Laurent 31 January 2022, 10:31

View original
If you have a question or comment, please create a topic

1 reply

L
Rank
Userlevel 6
Badge +15

hi @Juergen 

Very interesting question !

The first answer would be to make sure that you activate the ‘Anti Ransomware protection’ on all the MAs. This lowers the risk to have it corrupted/encrypted. Though if by some other ways the cryptolocker gains administrator/root privileges, this could lead to encryption. 

And it’s in that case that following the backup best practices (like 3/2/1 or 3/2/2/) like having at least another copy of your backups stored on another device would really help.

If your MA has direct storage, then if MA is encrypted, the storage/disklib would mostly be affected.

If you can have a NAS/S3-like device this would lower the risk to have them encrypted also. And using offline devices like the good old LTO tapes is better than nothing when all disks are encrypted.

Also, if possible, perform DASH copies from your MAs to some other geographical /cloud locations.

 

I experienced such cryptolocker attack, and at this time, the windows MAs where antiransomware protection was activated had their local disk library saved and untouched. The OS, the locally hosted DDB, indexcache and jobresults where all encrypted. 

So I had to have an offline USB device with my source OS to reinstall, then my Commvault sources to deploy the MA (and all concerned roles), a reconfiguration of devices letters on the OS and through Commserve Console, and I could read the disklib to start restoring.

Note : we took time to fully restore our backups, before taking time to reconfigure the MA for backup, as for backup the DDB and index had to be online, which were not after the encryption. There, we performed DDB reconstruction from the backups + disklib.

 

I had configured a simple FS backup of the MA, excluding all the Commvault volumes except the Commvault sources, weekly, to make sure any driver, source, or anything else held on this server could be restorable if needed. But in fact, it was useless, except to get a few drivers back.   

 

Hope this helps you, or anyone else :wink: .

Terms & ConditionsCookie settings