Skip to main content

How can we help you?

Druva Documentation

Recover a ransomeware-affected server using Phoenix

 

 

This article applies to:

  • Windows servers, Windows servers running MS-SQL, and VMware virtual machines with Windows guest operating system, Windows servers running Phoenix CloudCache

Problem description

A ransomeware can affect the server to an extent that:

  • Entire server is not usable
  • A few server volumes are not usable

If a ransomware affects a server, the affected server requires recovery.

Resolution

Following sections describe how to use Phoenix to restore your server data.

File servers 

To restore files and folders:

  1. Restore the operating system on the server and reuse the server name before it crashed.
  2. Download and install the agent, and re-register the server.
  3. After the server is re-registered, restore files and folders using the restore to original location option from the Phoenix Management Console. See Restore a file server to the original server.

To restore data to a different server with a new operating system:

  1. Register the server
  2. Configure the server for backup
  3. Restore data using the restore to alternate location option
Note: Ensure that you select a snapshot that was created before the ransomware affected the server.

MS-SQL servers

To restore databases:

  1. Restore the operating system on the server and reuse the server name before it crashed.
  2. Install MS-SQL server and retain the instance name.
  3. Download and install the agent, and re-register the server
  4. After the server is re-registered, restore databases using restore to original instance option. For more information, see Restore the databases to the original instance

To restore the databases to a different server with a new MS-SQL server instance:

  1. Register the server.
  2. Configure the server for backup and restore.
  3. Restore databases using the restore to alternate location option.

Note: Ensure that you select a snapshot that was created before the ransomware affected the server.

VMware virtual machines

To restore affected virtual machines:

  1. Remove the affected virtual machine from the standalone ESXi host or vCenter server. 
  2. Restore the virtual machine using the restore to alternate location option, and select the ESXi host or vCenter server where you want to restore the virtual machine. For more information, see Restore virtual machine to alternate location.

The Phoenix backup proxy that is already deployed on your standalone ESXi host or vCenter server can restore the virtual machine. 

Note: Ensure that you select a snapshot that was created before the ransomware affected the virtual machine.