Friday, 8 November 2013

Cause For Pause: Accounting Firm Possibly Done In Due to Technician Error and Cryptolocker (reddit)

This article came across one of the lists I am a part of and really brought home our own experiences back when Backup Exec and Symantec spent three days working with us to recover a backup that in the end proved to be unrecoverable.

In the above case we were fortunate to have other methods in place to protect the data but we did end up losing the domain and 24 of a partner's files out of 650GB of data (the failure was progressive - garbage in garbage out).

The BUE fail taught us to advocate strongly for us to be the ones to rotate the backups (the person responsible in the above case failed to rotate the two magazines) and to do a quarterly _full_ bare metal or hypervisor restore of the backup.

It also drove us to find a different backup and restore method that gave us portability for the backed up server along with good recoverability. We came across and have been running with StorageCraft's ShadowProtect product ever since. Since then we have had some spectacular recoveries completed as a result of ShadowProtect and the skills learned via Jeff Middleton's SwingIT migration methods.

One of the other lessons we learned early in our IT careers and is exemplified in the above article is the thoroughness with which we keep our client's audit notes. We document absolutely _everything_ about their network setups. They get any updated versions after they have been updated. One can never be too sure!

A full bare metal/hypervisor restored backup is the ONLY known good backup. Period. Full Stop.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at

Windows Live Writer


JoshB said...

We are all going to have to be more vigilant as time goes by as ransomware is making a come-back and it's only a matter of time until a variant is released that targets backups too.

i.e. people using USB hard drives to store their ShadowProtect backups.

For instance a cryptolocker encrypted spf is a whole lot of pain.

Anonymous said...

You still do the inside the VM ShadowProtect as well?

Philip Elder SBS MVP said...


We set our SP backup folders to only allow MOD for Domain Admins and remove Domain Users.

No one gets access to those backups but the admins. No one.