In this review, we will be taking a live scenario where an Exchange Server is infected by a ransomware. We will see how to rebuild the Exchange Server after the ransomware attack and how to restore the services without any data loss. We will also discuss the issues that can occur when rebuilding the server. We will also mention an Exchange recovery tool, named Stellar Repair for Exchange that can help in recovery of database from the affected server.
The Scenario
There is an Exchange Server 2019 Standard, installed on a Windows Server 2019 Standard. The server is a Hyper-V virtual machine, hosted on Windows Server 2022 Standard.
The virtual machine got infected by ransomware, called BadRabbit, which came from a user computer and propagated to the network. This happened during the weekend. The ransomware encrypted most of the files on the Exchange Server. Also, the server virtual machine was giving a lot of issues and the Exchange Server was not responsive. Fortunately, since the EDB files were locked by the Exchange Server, these were not encrypted. Although this might be a good sign, the database can still be damaged since it didn’t shutdown properly and the temporary data could still not be committed.
After isolating the server from the network and removing the ransomware files from all the computers, the server was investigated in a sandbox environment to remove any traces of the ransomware files. After a clean-up and getting go-ahead by the security team to reconnect the server with the network, there was an extensive amount of troubleshooting required to get the services running. Some of the operating system files were damaged.
Restoring from backup was a solution, but only the weekly offsite backup was available. The Network Attached Storage (NAS) had the local daily backups that were infected as well. So, the local backups were not usable. Going back a week would mean a massive data and business loss. So, an alternative was needed.
The Server Recovery and Rebuilding Process
The decision is taken to rebuild the Exchange Server and start from scratch, after we shut down or isolate the damaged server. Next, we need to get into the Active Directory Users and Computer to reset the computer account.
For the first part, we need to install a new virtual machine with the same IP address of the previous Exchange Server and retain the same computer name. This will help in the recovery process. Although the data resided on the Exchange Server, the configuration and setup are all in the Active Directory Schema (ADS).
It’s important to note that the drive space, drive letters, and other things from the previous server documentation are same. Now, we need to re-install the Exchange Server with the same version and build number, but not in the conventional way. We need to run the setup.exe file with the following parameters.
Setup.exe /m:recoverserver
This process would take about 45 minutes depending on the performance of the server. This will re-install the Exchange Server and retain the same configuration of the previous server, which is pulled from the Active Directory Schema (ADS). After this, any custom connectors need to be re-created from scratch. The biggest problem is to retain data, without any loss or go back a week from the backup.
Copying the databases from the corrupt server and putting them in the same location and then restarting the services mean we would end up with the databases in Dirty Shutdown state. We can use the EseUtil to perform smooth recovery to clear out any small damages. But if transaction logs are lost and damaged, there is little we can do. Then, the option is to perform hard recovery. But it will mean data loss and no guarantee that it will work. Also, this process will take a lot of time and effort. So, the alternative is to use a third-party Exchange recovery software to recover the data.
How Stellar Repair for Exchange can help?
Since the copy of the databases or transaction logs could be damaged, using an Exchange recovery software, such as Stellar Repair for Exchange can shorten the recovery time. This means the users will get their data back faster.
With Stellar Repair for Exchange, we can easily open damaged Exchange Server mailbox databases from any version of Exchange Server, with or without an active Exchange Server. Here’s the process to recover data from EDB using the software:
- The process starts with selecting the EDB file and then choosing either Quick Scan or Extensive Scan.
- After scan, the software will present all the mailboxes and resources found in the database. The scan can also be saved for later use.
- The software will let you choose the resources. We can export directly to a live Exchange Server.
- After selecting the mailboxes to export, the details of the destination need to be set. The software automatically matches the mailboxes and also allows to match the mailboxes manually. It also allows to select the VIP resources to be processed first.
After this, the process will start. When the data is restored, the users will see their data in their mailboxes.
ConclusionAbove, we have discussed the process to rebuild Exchange Server and recover the data after ransomware attack. Restoring the data from backup is not an ideal solution as it can result in data loss. Alternatively, we can use Stellar Repair for Exchange to reduce the recovery process time to a bare minimum and to protect the company data. The software can help in getting the services up and running in no time and with ease.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.