SQL Server 2016 mdf encrypted by ramsomware

  • helder-filipe

    SSC-Addicted

    Points: 472

    Hi,

    I'm a accidental DBA and had an ramsomware attack today.

    I stopped the attack but it encrypted the mdf file but not the log.

    I have a backup from yesterday, so i "only" need to recover a few hours of transactions.

    However, is it possible to use the log to "rebuild" the mdf up to date?

    Thanks for your time!

  • Lowell

    SSC Guru

    Points: 323463

    so SQL server has a lock on the mdf/ndf/ldf files because they are in use, so are you really, really sure the mdf was encrypted?

    is the database currently up and online, o was the sqlservice stopped so the ransomware could access the files? are you able to take a log backup right now?if you can take a log backup now, you could have a 'tail' backup, that contains all the transactions up to the moment the log backup completes, with no data loss.

    what is the recovery model of the database? do you have a chain of backups?

    this would be a typical disaster recovery scenario:

    restore the the full backup with NO RECOVERY, probably as a new database name so they are side by side.

    restore multiple transaction logs, with NO RECOVERY, and the last log would be restore with STOPAT where the time is where you want to get the data up to (ie 2020-09-08 13:17:00)

    there are some prerequisites to that restore though!

    you can only use the log if the database is in FULL or BULK LOGGED Recovery and you have some full+log backups.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Lowell

    SSC Guru

    Points: 323463

    if the database is in SIMPLE recovery mode, it goes back to whether the database is currently accessible or not.

    you could restore last nights backup as a new database name, and then compare tables to find changes form last night to current.

    that's a lot more work, and depends on whether the original database is accessible or not. I still doubt the file is encrypted, if the SQL server was running.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Summer90

    SSC-Dedicated

    Points: 32844

    There IS a ransomeware thing going around effecting SQL Servers.

     

    https://securityaffairs.co/wordpress/108341/hacking/mrbminer-mssql-miner.html

     

     

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply