Skip to main content

How can we help you?

Druva Documentation

How to check if your inSync Server is affected by Ransomware and restore the data for the impacted device?

 

 

This article applies to:

  • OS: Windows
  • Product edition: inSync Server On-Premises

This article provides steps to verify whether your inSync Server is affected by Ransomware and to restore data for the affected devices.

Steps to check inSync Server for Ransomware

  1. If you have access to the server on which inSync Master server or inSync Storage Node is installed, check if the following folders are accessible:
    • C:\ProgramData\Druva\inSyncCloud
    • Storage Directories: Data, Database, Database Logs
      Note: The above paths are applicable to both inSync Master and inSync Storage Node server
  2. Identify the location of the Storage directories from the inSync Management Console.
    1. Log on to the inSync Management Console.
    2. Click Manage > Storage List.
    3. Click the Storage name.
    4. Under the Summary tab > Data Storage Details, check the location of the Data folder.
    5. Under the Performance & Compaction tab, check the Database folder and Database log folder.
  3. Go to the location of the inSync Cloud Storage directories and check if the files are encrypted or have an unknown extension.
    Note: From the directories, try to open any .cfg files or .log files and check if you see any garbage content.
    The following images are examples of how files appear when not impacted by ransomware.

    inSyncCloud subfolders and files on an inSync Master server
    inSyncCloudSubFolders.png


    inSyncServer4 subfolders and files on inSync Master server
    inSyncServer4Subfolder.png
  4. Verify the storage components.
     
    The following images are examples of how storage components appear when not impacted by ransomware.
     
    Data folder 
    inSyncDataFolder.png

    Data files inside druva.com folder 
    inSyncDataFilesInsideDruva.png
     
    Database files 
    inSyncDatabaseFiles.png
     
    Database log files

    inSyncDatabaseLogFiles.png 

  5. If you suspect that any of the files and folders are affected by ransomware, isolate the affected server from the network immediately, and contact Druva Technical Support for further assistance. 

How to restore data for a Ransomware-impacted device using Druva inSync On-Premise?

Steps to restore data directly to the device

Ensure that the device is cleaned post the Ransomware attack.

  1. Install and activate the inSync Client. 
  2. Open the inSync Client post the activation.
  3. Click on the Restore icon and select the device from which you want to restore the data.
  4. Choose the snapshot from which you want to restore the data.
  5. Right-click on the folder you want to restore, and click Restore.
  6. Choose the appropriate device and location, and click Ok.The restore will begin.

Alternatively, you can restore data using the inSync On-Premises Management Console.

Steps to restore data using the inSync On-Premises Management Console

  1. Log in to the inSync On-Premise Management Console.
  2. On the console menu bar, click Availability > Restore.

    inSyncRestoreMenu.png
     
  3. Use the Search box in the top right corner to find the affected user.

    SearchBox.png
     
  4. Select the user and click Restore at the bottom of the page.
  5. Select the device from which you want to restore the data.

    SelectDevice.png
     
  6. Choose the appropriate snapshot from which you want to restore the data.

    SnapShots.png
     
  7. Select the folder from the right hand pane that you wish to restore.

    FolderToRestore.png
     
  8. Click Download.

    ClickDownload.png

The data download will begin.

Please contact Druva Technical Support if you encounter any issues.