Ransomware in Columbus, Dublin, DelawareShadow copy.

Most people have never heard of it, but let me tell you a story about how shadow copy saved my bacon.

July 2012.  My first run-in with ransomware.  It was on a server and I honestly didn’t know what the heck was going on.  Frankly, at that time, no one did.  We just knew the server was infected. Three of us worked on that server and it took us almost 14 hours to get the server back up and running. Although we were able to get them operational pretty quickly that day with a few workarounds, it wasn’t until late that night that we had them fully functional.

I decided to go back and read my notes on this trouble ticket.  Although this was a very serious situation, reading through the notes is kinda comical I have to admit:

First note:  “Bernice [name changed to protect the innocent] is saying that the server has a warning message about pornography and no one can get into the server.  Sounds like someone has possibly hacked the server.”  – Obviously, my assessment was wrong.  Kind of.  It wasn’t someone…..it was something (Reveton ransomware).

Another note further down:  “After researching virus, it is a “randsomware” virus.”  – LOL.  Rabbit ear bunny quotes and it’s misspelled.  A cross between randomware and ransomware.  I should probably trademark that.

Next note:  “This virus encrypts your data making it unavailable.”  – Captain Obvious.

The server was trashed.  It wouldn’t boot up and the client’s data was encrypted.  Good news is we were able to recover all of the data and reload the server.

Another note further down:  “Retrieve shadow copy data, check contents; Shadow copy content is integral.”

The reason we were able to recover all of their data was because we had two data security solutions in place.  The first was the backup.  The second was shadow copy, which gets me to the reason for this post.  Shadow copy RULES and it needs to be a part of your data security plan.  So what is shadow copy and why is it so important?

Shadow copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.  With these backup copies or snapshots, you can recover your data from a previous snapshot after a ransomware attack has occurred.  OK, so what’s the catch?  Well, the problem now is that the criminals who create ransomware are writing in code to delete shadow volume copies so that you can’t use shadow copy to recover the data.  So then you’re relegated to the backup.  That being said, I think it’s good practice to setup and configure shadow copy.  There are some backup providers that don’t recommend having shadow copy enabled because it conflicts with the backup software.  However, I think it’s a good idea to have at least two methods for data recovery, and in my experience, shadow copy does a good job and usually doesn’t interfere with other backup processes.

Let me be very clear though.  Shadow copy is not a replacement for backup.  Shadow copy saves those backup copies/snapshots on the same hard drive or array (typically) as the actual data itself, so if the hard drive or array dies, you’re in trouble.  That’s why you have to have a true backup or business continuity solution in place, in addition to shadow copy.  Also, it’s a good idea to have a physically separate hard drive just for shadow copy.  That way if your production drive/array fail, you still have the separate drive (unless there is a fire, flood, etc.; again it doesn’t replace backup).

So exactly how do you setup shadow copy?  Well, there are several articles or videos out there on internet on how to do this.  It’s pretty simple to do.  Thesolving.com has a good article on how to set it up in Windows Server 2012 R2.

So in conclusion, I recommend at least two methods of data recovery at all times and shadow copy is a great protection to have in addition to your backup.  It could save your butt if you delete a file or get hit with a virus that compromises your data.

Stay safe out there my friends.