jerrycsakany Posted November 4, 2019 Report post Posted November 4, 2019 We were hacked and have the ryuk virus on our sql server. What would you recommend as the steps to do a rebuild. How do we clean up anything that remains in AD as well as making sure we have a clean install and avoid any issues with discovery, clients, AD containers, policies, ect. Are there any articles to deal with this situation. We did not have an redundancy. . We have a 2 primary and 1 cas. Also is the cd.latest on the primary server server usable for reinstallation if it wasn't infected? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted November 4, 2019 Report post Posted November 4, 2019 first things first do you have any details of what files were over written/infected ? and do you have valid virus free backups of the database and all other software 1 Quote Share this post Link to post Share on other sites More sharing options...
jerrycsakany Posted November 13, 2019 Report post Posted November 13, 2019 So We have a CAS and Primary at one physical location and a primary at the other. The CAS and and it's sq server is completely encrypted at the main location and the other primary is also completely encrypted. The primary at the main site can be logged into but is in read only mode and has encrypted files as well, but not the whole system, seems to be a mix of SCCM and System Files. We want to start from scratch but want to be able to remove everything properly, even if it is a completely manual process. Need some good links / instructions. Most of what we found has the servers in good working order. I heard there is a site maintenance tool, but not sure if that is the route we need. Quote Share this post Link to post Share on other sites More sharing options...
jerrycsakany Posted November 13, 2019 Report post Posted November 13, 2019 Also we do not have any good backups. Apparently the last backup restored of the cas sql database has some sort of windows update error when booting that saying it has over a hundred items in it's pending.xml file. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted November 13, 2019 Report post Posted November 13, 2019 if you have no good backups then you are out of luck, i assume by encrypted you mean it has Ransomware encryption of some sort that has run rampant over your two (or more) servers, encrypting random files. If so you need to start fresh and make sure to focus on security this time, do you have any idea why it got infected before ? and why are there no good backups, that's a recipe for disaster by starting fresh i mean a complete server reinstall for each affected server, you must be 100% sure that there are no infected files lingering or you will be back to square one... whatever you do, don't pay the ransom, doing that would mean that the authors will profit at your expense and they will build even worse ransomware which you may get infected with again in the future. Quote Share this post Link to post Share on other sites More sharing options...