Customer Support Tips for Protecting and Recovering from Ransomware

Posted 06/28/2017 by Damian Andre

As the news started to break around the latest ransomware epidemic, I wondered if this was a simple case of déjà vu. Just six weeks ago we were proactively reaching out to our customers in the wake of the 'WannaCry' attack. In Support we are continuously monitoring for all sorts of critical events, ranging from natural and man-made disasters to ransomware attacks such as this.

When such an event occurs, we trigger our Critical Situation response process, and begin to proactively reach out to potentially affected customers from our three global Enterprise Command Centers. For natural disaster events, such as the 2016 Kaikoura earthquake in New Zealand, we quickly leveraged geographical data to generate a list of potentially affected customers in the disaster radius and began reaching out to offer recovery assistance. For ransomware, we monitor a variety of news outlets to identify any Commvault customers and engage our proactive support protocols. Each event is coupled with a 'Critical Situation ID,' which passes between our support centers around the clock to enable priority assistance and tracking of all support incidents associated with the event.

The 'WannaCry' attack in May was programmed to encrypt more than 170 different file types, primarily affecting large company file shares and documents on workstations. The latest ransomware iteration dubbed 'Petya' (or 'NotPetya', depending on whom you ask) has delivered a rather more sinister payload, rendering infected systems completely inoperable by encrypting the Master Boot Record before rebooting to a bitcoin payment screen. Indeed, Petya is turning out to be the swiss army knife of ransomware, using a trio of sophisticated techniques to spread and infect vulnerable systems.

Tip No. 1: Recovering your CommServe

The most important item to protect in your Commvault infrastructure is your CommServe database. The database contains metadata required to enable recovery of your systems, applications and data. If your CommServe has been affected by a ransomware attack, the first step is to locate your latest database from a DR backup. By default, Commvault keeps several copies in different locations that allow you to recover your Commvault infrastructure in the event of a disaster. In addition to the Commvault installation directory, the first export for the DR backup is usually located on an SMB share. Check any filters or secure SMB shares as a first point. From there, a DR backup policy stores several copies of your database to disk, tape or into the cloud. Commvault has several techniques and methods to recover DR backups from these locations. 

Once you have located your DR backup, you can recover it during a fresh CommServe install or post-install using the Recovery Assistant tool.

If you have a failover CommServe configured, you can failover to the standby node.

If you need to obtain a copy of the Commvault software, you can download it using your Commvault ID or from our Maintenance Advantage site.

Tip No. 2: Recovering your Media Agents

Media Agents can be easily recovered by reinstalling the software and reconnecting them to the CommServe using the original Client Name. All settings and configuration are automatically restored at startup. After installation, you can optionally leverage data verification to ensure recoverability of your data. If the primary copy of data has been compromised or is unavailable, you can use the copy precedence on any restore job to restore from an alternate copy of your data. If you have several restores to conduct, consider changing the recovery precedence option on the storage policy to default recoveries from a particular copy. Keep in mind that Commvault does not need access to deduplication databases to recover data, so this can be done at a later step.

Tip No. 3: Recovering your Clients and Applications

For physical machines, installing the appropriate agent either through remote or interactive installs is the first step to recover. Remember that Commvault provides several techniques to help accelerate recoveries other than traditional restores, such as:

  • 1-Touch for offline bare metal full system recoveries
  • VirtualizeMeto automatically recover any physical systems as Virtual Machines
  • Virtual Machine Conversion to recover VMs into the cloud
  • Live Recovery to instantly boot VMs from backup storage or hardware snapshots and recover them back in place
  • Hardware snapshot revert to instantly recover an entire LUN or share from an array snapshot
  • CBT Restores to perform accelerated incremental VM recoveries of only blocks that changed since the last backup

Tip No. 4: Protecting your Commvault environment 

The latest Commvault software generation enables you to protect your backup data by actively blocking access to external applications. You can find out more about this feature on our documentation site. You can also enable an option that attempts to detect ransomware infections on client computers, which will generate alerts for early detection. Finally, if you're interested in locking down your CommServe installation to protect it against attacks, consider the options in this whitepaper.

Tip No. 5: Call us

We're here to help. If you need assistance on recovery or simply looking for the best way to recover your data and applications, we can assist. Contact us.

As Commvault's Director of the Support Expertise Team, Damian Andre is responsible for the technical enablement of more than 390 engineers, helping to build an industry-leading global support organization with 98 percent customer satisfaction. Prior to heading up the Support Expertise Team, Damian was a Senior Product Manager for Cloud and Virtualization technologies, working to innovate, build and refine products to solve customer problems in the data protection, disaster recovery and orchestration space.