Volume Shadow Copy Service deleted after ransomware attack - Backup no longer working

Yi E Wang 646 Reputation points


I have a server running SBS server 2008 with exchange server 2007

Earlier this week the server was compromised by a ransomware attack.

The antivirus software on the server was removed from the server by the attack.

I managed to login to the server early enough to stop all files becoming encrypted.

I was able to restore most files from the shadow copy which had just completed about an hour before the attack.

I ran antivirus scans and though I had found and removed the virus but I think it was still working in the background somehow.

When I logged into the server the next day the shadow copies were all gone and also the windows server backup was not working anymore. It looks like the attack has completely disabled/deleted these items so that we cannot restore the server.
I noticed that Shadow copies were no longer working and also volume shadow copy service was missing from services.

If I run VSSAdmin List Writers I am getting a Unexpected Failure - catastrophic failure message.The same if I run Windows Server backup (Catastrophic Failure)
I have tried to re register DLL's as mentioned in other posts. I have also tried to copy the VSS registry from another server and imported into this server. This would not work until I deleted the VSS registry setting from the compromised server and then imported.Also ran SFC.
After doing all of these the Volume Shadow copy service is still not showing in services so I cannot do any more backups.

I have backup drives but the latest backup is now about 1 week old.

What would my option now be ot get the backup working again.

Is there anyway to rebuild/reinstall the VSS Service and shadow copies. (even to copy files from another similar server)

Can I retrieve the registry that was in state before the attack from the backup drive and copy to the server.

Should I perform a restore from the backup drive , however as Exchange is on e the server I would need to backup the mailbox database otherwise we would lose 1 week of email data.

Any advise/suggestions would be appreciated as i need to get backup and shadow copies working again in case of a repeat attack.

TechNet forum original post link:

Windows Small Business Server
Windows Small Business Server
A family of Microsoft server products with messaging and collaboration, security-enhanced internet access, protected data storage, reliable printing, faxing, and the ability to run line-of-business applications. Replaced by Windows Server Essentials.
36 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jenny Yan-MSFT 9,301 Reputation points


    System re-installation might be necessary if SFC and system restore is not helpful. If you want to keep current file and configuration, migration can be considered.

    If it is the only one server device on your environment, you may build a VM as intermediate conversion:
    Build SBS on the VM -> migrate from problematic SBS to VM -> re-install original SBS -> migrate back from VM to SBS.

    Please note that, system health is one of pre-requirements for successful migration.

    0 comments No comments

0 additional answers

Sort by: Most helpful