September 9, 2020 at 12:36 am
Hi,
I'm a accidental DBA and had an ramsomware attack today.
I stopped the attack but it encrypted the mdf file but not the log.
I have a backup from yesterday, so i "only" need to recover a few hours of transactions.
However, is it possible to use the log to "rebuild" the mdf up to date?
Thanks for your time!
September 9, 2020 at 10:26 am
so SQL server has a lock on the mdf/ndf/ldf files because they are in use, so are you really, really sure the mdf was encrypted?
is the database currently up and online, o was the sqlservice stopped so the ransomware could access the files? are you able to take a log backup right now?if you can take a log backup now, you could have a 'tail' backup, that contains all the transactions up to the moment the log backup completes, with no data loss.
what is the recovery model of the database? do you have a chain of backups?
this would be a typical disaster recovery scenario:
restore the the full backup with NO RECOVERY, probably as a new database name so they are side by side.
restore multiple transaction logs, with NO RECOVERY, and the last log would be restore with STOPAT where the time is where you want to get the data up to (ie 2020-09-08 13:17:00)
there are some prerequisites to that restore though!
you can only use the log if the database is in FULL or BULK LOGGED Recovery and you have some full+log backups.
Lowell
September 9, 2020 at 10:29 am
if the database is in SIMPLE recovery mode, it goes back to whether the database is currently accessible or not.
you could restore last nights backup as a new database name, and then compare tables to find changes form last night to current.
that's a lot more work, and depends on whether the original database is accessible or not. I still doubt the file is encrypted, if the SQL server was running.
Lowell
September 16, 2020 at 2:00 pm
There IS a ransomeware thing going around effecting SQL Servers.
https://securityaffairs.co/wordpress/108341/hacking/mrbminer-mssql-miner.html
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply