SYSVOL file got Encrypted via Ransomeware attack

Rashid Kamal 21 Reputation points
2020-12-15T15:11:44.797+00:00

Dear Experts ,

We have faced ransomware attack recently , it encrypted files of Domain Controller 2012 SysVol Windows Server 2012 Standard working as Primary Domain Controller while two more additional domain controllers are there with GC enabled, what's the easiest way to recover the SysVol folders only ?

We have taken System State Backup of DC that's older after that many Policies have been made, 600+ users were created, if we go with recovery option, we have to create them all a very hectic job.

Please suggest and share the easiest way to recover only the SysVol from the backup, if there is any option available to reconstruct sysvol from the scratch, please suggest.

I always taken benefits from this community and expecting again from you.

Regards,
Kamal

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,525 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2020-12-15T15:35:09.473+00:00

    Then you can restore the backup some where then use this one as a guide to replace contents.
    https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

7 additional answers

Sort by: Most helpful
  1. Anonymous
    2020-12-15T15:18:37.597+00:00

    How many domain controllers? and how recent is the backup? The simpler solution may be to turn existing off, restore the recent backup of PDCe and rebuild the other domain controllers.

    --please don't forget to Accept as answer if the reply is helpful--


  2. Rashid Kamal 21 Reputation points
    2020-12-15T15:55:14.077+00:00

    Thank you SDPatrick, bit explanation is needed, I have studied the link which you have refereed,

    How to temporarily stabilize the domain SYSVOL tree ? this option is mentioned, If I restore system estate backup on any other location and copy the entire contents of SYSVOL as per mentioned detail, can i be able to restore all files ?

    1.Stop FRS on all domain controllers in the domain and set the service to Disabled.
    Manually copy the full set of policies to the following folder on each domain controller:

    \SYSVOL\SYSVOL\dns domain name\policies
    2.Typically, the following two policies are required for authentication:

    Default Domain Controllers Policy{6AC1786C-016F-11D2-945F-00C04fB984F9}
    Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
    

    Note You may have to copy additional policies depending on Group Policy requirements for the environment.
    3.Manually copy all necessary scripts to the following folder:

    0 comments No comments

  3. Anonymous
    2020-12-15T15:59:37+00:00

    Should work and sounds like there's nothing lost in trying. I'd probably copy to one domain controller then you could do a non-authoritative restore to others.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. Rashid Kamal 21 Reputation points
    2020-12-15T16:10:16.65+00:00

    Dear DSPatrick I must try and get back to you. I really appreciate your help in this regard.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.