Jump to content


Recommended Posts

We were hacked and have the ryuk virus on our sql server. What would  you recommend as the steps to do a rebuild. How do we clean up anything that remains in AD as well as making sure we have a clean install and avoid any issues with discovery, clients, AD containers, policies, ect.  Are there any articles to deal with this situation. We did not have an redundancy.  . We have a 2 primary and 1 cas. Also is the cd.latest on the primary server server usable for reinstallation if it wasn't infected?

Share this post


Link to post
Share on other sites


first things first do you have any details of what files were over written/infected ? and do you have valid virus free backups of the database and all other software

  • Like 1

Share this post


Link to post
Share on other sites

So We have a CAS and Primary at one physical location and a primary at the other. The CAS and and it's sq server is completely encrypted at the main location and the other primary is also completely encrypted.  The primary at the main site can be logged into but is in read only mode and has encrypted files as well, but not the whole system, seems to be a mix of SCCM and System Files.  We  want to start from scratch but want to be able to remove everything properly, even if it is a completely manual process. Need some good links / instructions. Most of what we found has the servers in good working order.  I heard there is a site maintenance tool, but not sure if that is the route we need.

Share this post


Link to post
Share on other sites

Also we do not have any good backups. Apparently the last backup restored of the cas sql database has  some sort of windows update error when booting  that saying it has over a hundred items in it's pending.xml file.

Share this post


Link to post
Share on other sites

if you have no good backups then you are out of luck, i assume by encrypted you mean it has Ransomware encryption of some sort that has run rampant over your two (or more) servers, encrypting random files. If so you need to start fresh and make sure to focus on security this time, do you have any idea why it got infected before ? and why are there no good backups, that's a recipe for disaster

by starting fresh i mean a complete server reinstall for each affected server, you must be 100% sure that there are no infected files lingering or you will be back to square one...

 

whatever you do, don't pay the ransom, doing that would mean that the authors will profit at your expense and they will build even worse ransomware which you may get infected with again in the future.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...