• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3386 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Core Protected By Proprietary File Types?

Corrigun
over 6 years ago

In August we got whacked by ransomware (Lukitus). Yesterday completely by chance I was poking around on the core server and found some encrypted files. I searched the whole server and found many more. Nothing runs on this machine but the O/S (Server2012) and RR.

Looking at the repository is appears that some config files got encrypted but that RR just made new ones? The other, larger (proprietary) files like ids, map, etc all seem untouched. Everything still runs fine and the recovery points from that date range have long since cycled out. The base images are from long before.

Do I hose this whole core and start over or just leave it alone? Making three new base images and a new chain for no compelling reason does not really appeal to me.

  • +1 over 6 years ago

    The repository files are locked by the RR Core service while the service is on and running. The ransomware can't access the repo files to encrypt them. Thats why they were untouched.

    If the infection is still on your RR Core, then stopping the service would threaten the repository files. If you're confident that the infection has been eradicated, you can leave things alone but that is risky.

    My recommendation would be to wipe and clean the system to be sure that no infection exists. If you're confident the repository drives are infection free, you can then open the repository on the new core. If you have offsite backups using replication, it's safer to just hose this old core and start from scratch because the ransomware was on that system at one point.

  • 0 over 6 years ago

    I have stopped the service and machine probably 10 times since August. I have also recovered dozens of files for machines all over the network since then with no sign of problem anywhere.

    We get whacked pretty often since we are attached to a HUGE network most of it outside of my control. I am confident that it is not infected. Every time we get hit it's over in minutes at most. It's always been a different variant and always find the source so I'm sure it's not lingering.

    I appreciate the point and don't disagree but since the machine acts as the repository recreating it would be a huge PITA.