"You don't just restore a server"

coliver

Is person the boss? Or a coworker?

bbigford

@coliver said in "You don't just restore a server":

Is person the boss? Or a coworker?

Without airing dirty laundry... I'll just say they are in a technical, non-managerial role.

coliver

@BBigford said in "You don't just restore a server":

@coliver said in "You don't just restore a server":

Is person the boss? Or a coworker?

Without airing dirty laundry... I'll just say they are in a technical, non-managerial role.

Then I would explain that restoring from backup is the least costly and most effective means of ensuring that the server is clean when you are done. Sanitizing and decryption leave you with a dirty server that you can't trust.

There is a significant difference between being secure and being lazy.

Grey

@BBigford said in "You don't just restore a server":

@coliver said in "You don't just restore a server":

Is person the boss? Or a coworker?

Without airing dirty laundry... I'll just say they are in a technical, non-managerial role.

coliver

@Grey said in "You don't just restore a server":

@BBigford said in "You don't just restore a server":

@coliver said in "You don't just restore a server":

Is person the boss? Or a coworker?

Without airing dirty laundry... I'll just say they are in a technical, non-managerial role.

Oh god not the son of Dracula.

DustinB3403

@BBigford said in "You don't just restore a server":

You get hit, you restore. Server crashes, you restore. That's why we have backups...

More importantly waiting to restore can actually cause harm. Whoever is wanting to dig thru the server for logs and clean it up must be paid for overtime.

Obsolesce

@BBigford said in "You don't just restore a server":

@coliver said in "You don't just restore a server":

Is person the boss? Or a coworker?

Without airing dirty laundry... I'll just say they are in a technical, non-managerial role.

Maybe he washes off and reuses his toilet paper too?

dbeato

Backups are the only reliable option to do this, if you have snapshots it is even better. You can backup all the bad (encrypted) files and then worry about what Ransomware infection is. Usually I do gather though all the information necessary related to the attack before restoring or wiping

Obsolesce

@dbeato said in "You don't just restore a server":

Backups are the only reliable option to do this, if you have snapshots it is even better. You can backup all the bad (encrypted) files and then worry about what Ransomware infection is. Usually I do gather though all the information necessary related to the attack before restoring or wiping

Yes, the cause of infection is important. What if the infector is a client or admin PC somewhere in the company... you restore the server, and it just gets encrypted again. The source must be found first. Then bare-metal backup the infected server (to look at later)... and restore it from a clean backup.

Mike Davis

I would poke around it long enough to figure out if the server had been logged in to, or if a user's computer encrypted all the files. You don't want it coming right back. Like others said, figure out how it got infected and then restore back before the infection.

scottalanmiller

@BBigford said in "You don't just restore a server":

@coliver said in "You don't just restore a server":

Is person the boss? Or a coworker?

Without airing dirty laundry... I'll just say they are in a technical, non-managerial role.

And will stay that way. I would guess.

scottalanmiller

@DustinB3403 said in "You don't just restore a server":

@BBigford said in "You don't just restore a server":

You get hit, you restore. Server crashes, you restore. That's why we have backups...

More importantly waiting to restore can actually cause harm. Whoever is wanting to dig thru the server for logs and clean it up must be paid for overtime.

Right. Actively creating risk and downtown so that they can "play tech" as if they were at Best Buy.

scottalanmiller

@Mike-Davis said in "You don't just restore a server":

I would poke around it long enough to figure out if the server had been logged in to, or if a user's computer encrypted all the files. You don't want it coming right back. Like others said, figure out how it got infected and then restore back before the infection.

If you want to do that, in 95% of cases, take a fresh backup, isolate it and do that offline in a forensics lab after you deal with getting production back. Just leaving it alive could result in more data leaving the environment.