All Collections
Knowledge Base
Enterprise Workloads
Troubleshooting - Enterprise Workloads
Recover a ransomeware-affected server using Phoenix
Recover a ransomeware-affected server using Phoenix
Updated over a week ago

πŸ“ Note
​This article applies to

  • Windows servers, Windows servers running MS-SQL, and VMware virtual machines with Windows guest operating system, Windows servers running Phoenix CloudCache

Problem description

A ransomeware can affect the server to an extent that:

  • Entire server is not usable

  • A few server volumes are not usable

If a ransomware affects a server, the affected server requires recovery.

Resolution

Following sections describe how to use Phoenix to restore your server data.

File servers

To restore files and folders:

  1. Restore the operating system on the server and reuse the server name before it crashed.

  2. Download and install the agent, and re-register the server.

  3. After the server is re-registered, restore files and folders using the restore to original location option from the Phoenix Management Console. See Restore a file server to the original server.

To restore data to a different server with a new operating system:

  1. Register the server

  2. Configure the server for backup

  3. Restore data using the restore to alternate location option

πŸ“ Note
​Ensure that you select a snapshot that was created before the ransomware affected the server.

MS-SQL servers

To restore databases:

  1. Restore the operating system on the server and reuse the server name before it crashed.

  2. Install MS-SQL server and retain the instance name.

  3. Download and install the agent, and re-register the server.

  4. After the server is re-registered, restore databases using restore to original instance option. For more information, see Restore the databases to the original instance.

To restore the databases to a different server with a new MS-SQL server instance:

  1. Register the server.

  2. Configure the server for backup and restore.

  3. Restore databases using the restore to alternate location option.

πŸ“ Note
​Ensure that you select a snapshot that was created before the ransomware affected the server.

VMware virtual machines

To restore affected virtual machines:

  1. Remove the affected virtual machine from the standalone ESXi host or vCenter server.

  2. Restore the virtual machine using the restore to alternate location option, and select the ESXi host or vCenter server where you want to restore the virtual machine. For more information, see Restore virtual machine to alternate location.

The Phoenix backup proxy that is already deployed on your standalone ESXi host or vCenter server can restore the virtual machine.

πŸ“ Note
​Ensure that you select a snapshot that was created before the ransomware affected the virtual machine.

Related Articles
Restore MS SQL Server databases on VMware virtual machines
How to use the vCenterDetail utility
How to delete an existing vCenter or ESXi setup
User Guide - Preparing your environment for successful Druva VMware Restore
The size of the Snapshot on the Storage after a Linux File Server Backup is multiple times (more than 10x) bigger than the original Linux File Server
Did this answer your question?