Skip to main content
Solved

MediaAgent recovery after a ransomware attack

  • January 31, 2022
  • 1 reply
  • 401 views

Juergen
Byte
Forum|alt.badge.img+8

Hello,

we have ransomware protection enabled on our Media Agents!  But in case of attack we can lost the MediaAgent OS and don’t have access to the Libraries. MediaAgents have local disks for Disk Libraries

What kind of backup should I have to recover quick a MA from a different MA, without lost the backup data on the local disks on the impacted MediaAgent?

What is the fastest restore, 1 touch non interactive will clean all disks first?

We running V11SP24.25, MediaAgents are Dell servers.

 

Thanks 

Juergen

Best answer by Laurent

hi @Juergen 

Very interesting question !

The first answer would be to make sure that you activate the ‘Anti Ransomware protection’ on all the MAs. This lowers the risk to have it corrupted/encrypted. Though if by some other ways the cryptolocker gains administrator/root privileges, this could lead to encryption. 

And it’s in that case that following the backup best practices (like 3/2/1 or 3/2/2/) like having at least another copy of your backups stored on another device would really help.

If your MA has direct storage, then if MA is encrypted, the storage/disklib would mostly be affected.

If you can have a NAS/S3-like device this would lower the risk to have them encrypted also. And using offline devices like the good old LTO tapes is better than nothing when all disks are encrypted.

Also, if possible, perform DASH copies from your MAs to some other geographical /cloud locations.

 

I experienced such cryptolocker attack, and at this time, the windows MAs where antiransomware protection was activated had their local disk library saved and untouched. The OS, the locally hosted DDB, indexcache and jobresults where all encrypted. 

So I had to have an offline USB device with my source OS to reinstall, then my Commvault sources to deploy the MA (and all concerned roles), a reconfiguration of devices letters on the OS and through Commserve Console, and I could read the disklib to start restoring.

Note : we took time to fully restore our backups, before taking time to reconfigure the MA for backup, as for backup the DDB and index had to be online, which were not after the encryption. There, we performed DDB reconstruction from the backups + disklib.

 

I had configured a simple FS backup of the MA, excluding all the Commvault volumes except the Commvault sources, weekly, to make sure any driver, source, or anything else held on this server could be restorable if needed. But in fact, it was useless, except to get a few drivers back.   

 

Hope this helps you, or anyone else :wink: .

View original
Did this answer your question?
If you have a question or comment, please create a topic

1 reply

Forum|alt.badge.img+15
  • Byte
  • 386 replies
  • Answer
  • January 31, 2022

hi @Juergen 

Very interesting question !

The first answer would be to make sure that you activate the ‘Anti Ransomware protection’ on all the MAs. This lowers the risk to have it corrupted/encrypted. Though if by some other ways the cryptolocker gains administrator/root privileges, this could lead to encryption. 

And it’s in that case that following the backup best practices (like 3/2/1 or 3/2/2/) like having at least another copy of your backups stored on another device would really help.

If your MA has direct storage, then if MA is encrypted, the storage/disklib would mostly be affected.

If you can have a NAS/S3-like device this would lower the risk to have them encrypted also. And using offline devices like the good old LTO tapes is better than nothing when all disks are encrypted.

Also, if possible, perform DASH copies from your MAs to some other geographical /cloud locations.

 

I experienced such cryptolocker attack, and at this time, the windows MAs where antiransomware protection was activated had their local disk library saved and untouched. The OS, the locally hosted DDB, indexcache and jobresults where all encrypted. 

So I had to have an offline USB device with my source OS to reinstall, then my Commvault sources to deploy the MA (and all concerned roles), a reconfiguration of devices letters on the OS and through Commserve Console, and I could read the disklib to start restoring.

Note : we took time to fully restore our backups, before taking time to reconfigure the MA for backup, as for backup the DDB and index had to be online, which were not after the encryption. There, we performed DDB reconstruction from the backups + disklib.

 

I had configured a simple FS backup of the MA, excluding all the Commvault volumes except the Commvault sources, weekly, to make sure any driver, source, or anything else held on this server could be restorable if needed. But in fact, it was useless, except to get a few drivers back.   

 

Hope this helps you, or anyone else :wink: .


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings