hi @Juergen
Very interesting question !
The first answer would be to make sure that you activate the ‘Anti Ransomware protection’ on all the MAs. This lowers the risk to have it corrupted/encrypted. Though if by some other ways the cryptolocker gains administrator/root privileges, this could lead to encryption.
And it’s in that case that following the backup best practices (like 3/2/1 or 3/2/2/) like having at least another copy of your backups stored on another device would really help.
If your MA has direct storage, then if MA is encrypted, the storage/disklib would mostly be affected.
If you can have a NAS/S3-like device this would lower the risk to have them encrypted also. And using offline devices like the good old LTO tapes is better than nothing when all disks are encrypted.
Also, if possible, perform DASH copies from your MAs to some other geographical /cloud locations.
I experienced such cryptolocker attack, and at this time, the windows MAs where antiransomware protection was activated had their local disk library saved and untouched. The OS, the locally hosted DDB, indexcache and jobresults where all encrypted.
So I had to have an offline USB device with my source OS to reinstall, then my Commvault sources to deploy the MA (and all concerned roles), a reconfiguration of devices letters on the OS and through Commserve Console, and I could read the disklib to start restoring.
Note : we took time to fully restore our backups, before taking time to reconfigure the MA for backup, as for backup the DDB and index had to be online, which were not after the encryption. There, we performed DDB reconstruction from the backups + disklib.
I had configured a simple FS backup of the MA, excluding all the Commvault volumes except the Commvault sources, weekly, to make sure any driver, source, or anything else held on this server could be restorable if needed. But in fact, it was useless, except to get a few drivers back.
Hope this helps you, or anyone else
.