background ：

The client is a client in the real estate industry , ECS is mainly deployed OA and sql server database , Because of the interior IT weak , Not doing a good job of safety protection , Cause the server to be invaded by virus .

Review of problems ：

1： The server was attacked by blackmail virus , Cause server OA Files and database files are locked ,OA Website cannot be opened , The database table cannot be read .

2： During the business breakdown , The enterprise cannot work , Cause unimaginable consequences to the enterprise Once the database file cannot be retrieved , The whole department and even the company will be shut down

3： meanwhile D The disk is encrypted by a blackmail virus , The encrypted file cannot be used

4： The customer did not take any backup measures , When I hear this , There is no optimism about this incident .

5： Common solutions in this case

5.1 Looking for a professional third-party data recovery company , The price must be very high

5.2 Pay extortion fees to outlaws , Unlock the blackmailed file , While the price is not cheap , Encourage the arrogance of lawless elements

A race against time , The battle against the blackmail virus has begun , How to recover the business as soon as possible , Minimum capital investment , There are high requirements for the ability of operation and maintenance personnel .

Asset Introduction ：

1： A server is poisoned , System is ：windows server 2012 R2.4 nucleus 16G,500G Hard disk

2： Main procedure sql server 2008R2 database , The database volume is 100G within

3：OA The program offers web visit

The whole business architecture diagram ：

The architecture diagram is very simple , Pictured ：

Investigation thought ：

1： Cut off the public network at the first time , Avoid connecting the server to the outside world . Reopen windows The server , Connect the poison server through the intranet .

2： Check the damage level of the server , especially OA And database files .

OA The service could not be opened , The database cannot be opened . The backup file is locked , I thought the situation was very serious .

3： Further inspection sql server mdf Is the document normal . very nice ,mdf File is not encrypted by blackmail virus . This lays the foundation for data recovery . It can only be said , Thanks for the blackmail virus .

4： Next, just get OA Program data , The customer's environment can be restored .OA Feedback from manufacturers ,OA The deep backup directory is ：D:\Seeyon\A8\base\upload

Under this directory , The folder is not encrypted . See here , Feel overjoyed .

Data recovery ：

since OA The program and database files are in , You can start to restore the source environment .

1： Prepare the purification system ,windows2012 R2, Manual deployment sql server 2008R2, Vendor redeployment OA.

2： Take a snapshot of this initial environment , Avoid later problems , Cause reassembly .

3： database mdf Document and OA Program files , Copy , Killing ,md5 Value verification .

Copy is a direct remote copy .

Yes mdf and OA Program files for virus detection , It is found that this file is free of virus , normal .

database sql mdf file , Before and after copying md5 Value comparison , Ensure that the database file size is consistent .

3.1 database mdf file md5 check

3.2 OA Program capacity , Folder comparison

4： Database file import , Database recovery .

5： Customer OA Vendors have redeployed , Normal access , The contents of the database file are not missing , Data recovery completed .

Time consuming ：4 Hours . Minimize customer losses .

Optimization and improvement suggestions ：

Address the customer's existing problems , Make the following suggestions

1： Network architecture optimization

2： Establishment of safety system

1. Network architecture optimization

According to the customer's existing capital investment , The overall structure of the design is as follows

Brief description of the scheme ：

1： Database and OA The application of decoupling , Avoid interaction

2：OA The application accesses the database server through the intranet , Avoid exposing the public network directly to the database

3： Use cloud native sql server database , have 99.9996% Data reliability and 99.95% Service availability of . Master-slave dual node database architecture , Second level failover occurs ; With automatic backup capability , The user can restore the database to the previous time point through the file back function

4： Upgrade professional host security , Provide the host with more advanced security protection capabilities

5： Use ELB Load balancing ,NAT gateway , Provide a secure network environment

2. Establishment of safety system

2.1 Set periodic snapshot policy , Facilitate data rollback

2.2 It is recommended to use ELB,NAT Etc , Strengthen the security of the organization structure

2.3 Set detailed alarm strategy , When the server and application are unavailable , Notify the administrator at the first time

2.4 Equipped with safety products , Further strengthen network security , Such as ：waf