Most of the viruses infect your programs but Ransomware encrypts all your data and asks for a large Ransom! Most of the Firewalls and Anti Viruses cannot prevent it! We managed to rescue a clients ERP system from its attack recently.Here is how we managed it.

ransomware-citygatesystems

One of the major IT distributors in UAE approached us asking for help in rescuing an Active Directory cum ERP server based on MS SQL. The problem is; the server is reluctant to boot normally, all the data files are renamed to Filename.ext.{randomname@randomdomain.com}.xtbl. The clients factory is an hours drive from Downtown Dubai so we agreed not to do a physical check instead a “fresh new install” and restore from the backup.

After we arrived and inspected the systems we realized that no recent reliable backup is available to restore! The backup the client “thought” was an automated backup to a Netgear NAS device connected as a iScSi attached storage. During the course of the Ransomware attack this drive was infected and the files were encrypted.┬áThe client eventually asked us to recover the Server rather than a reinstall which will ruin the chances of recovering the data forever!

The server doesn’t boot normal to desktop; so we tried the safe mode. Well, it boots to the safe mode but no start button, no apps, literally you cannot run any executable. Luckily we are able to open the task bar. End-tasking suspicious programs running in memory we managed to bring the windows Explorer back into operation. After researching in Google for “Ransomware fixes” we managed to remove some of the references in the registry and reboot the server to normal. We downloaded tools like “RANSOMWARE DECRYPTOR” but none of them helped us to recover the data files. Finally we managed to recover the LDF&NDF files of the MSSQL server after many days of hard-work. How do we backup the LDF&NDF files now? Luckily the system identified external USB drive and we managed to copy.

Leave a Reply

Your email address will not be published. Required fields are marked *