I have a server running SBS server 2008 with exchange server 2007
Earlier this week the server was compromised by a ransomware attack.
The antivirus software on the server was removed from the server by the attack.
I managed to login to the server early enough to stop all files becoming encrypted.
I was able to restore most files from the shadow copy which had just completed about an hour before the attack.
I ran antivirus scans and though I had found and removed the virus but I think it was still working in the background somehow.
When I logged into the server the next day the shadow copies were all gone and also the windows server backup was not working anymore. It looks like the attack has completely disabled/deleted these items so that we cannot restore the server.
I noticed that Shadow copies were no longer working and also volume shadow copy service was missing from services.
If I run VSSAdmin List Writers I am getting a Unexpected Failure - catastrophic failure message.The same if I run Windows Server backup (Catastrophic Failure)
I have tried to re register DLL's as mentioned in other posts. I have also tried to copy the VSS registry from another server and imported into this server. This would not work until I deleted the VSS registry setting from the compromised server and then imported.Also ran SFC.
After doing all of these the Volume Shadow copy service is still not showing in services so I cannot do any more backups.
I have backup drives but the latest backup is now about 1 week old.
What would my option now be ot get the backup working again.
Is there anyway to rebuild/reinstall the VSS Service and shadow copies. (even to copy files from another similar server)
Can I retrieve the registry that was in state before the attack from the backup drive and copy to the server.
Should I perform a restore from the backup drive , however as Exchange is on e the server I would need to backup the mailbox database otherwise we would lose 1 week of email data.
Any advise/suggestions would be appreciated as i need to get backup and shadow copies working again in case of a repeat attack.
TechNet forum original post link: