Cannot restore backups after ransomware attack

S

SpyderVeloce

New Member
Feb 12, 2025
2
0
1
The company was recently was hit by a ransomware attack which encrypted everything including all the VMs and even the Proxmox PVE servers.
Although it does not appear the Proxmox Backup Server was hit, I cannot restore any of the backups. They all fail with an error about .chunks folder not available or something similar. Single-file restores don't work either. I get and error: partition not found or something like that.

Are the backups truly immutable as the Proxmox documentation says? If so, why is the .chunks folder so easily accessible and/or corrupted?

Do you think the ransomware messed up these files or is there some other issue?

Is the any hope of recovering these backups?
 
SpyderVeloce said:
... or something similar.
... or something like that.
Click to expand...
This is unhelpful. Get serious. Provide data.


cat /etc/proxmox-backup/datastore.cfg

df -h

zpool status

zfs list


...
Mmm. And consider immediately purchasing support for all of your PVE hosts and your backup server.
It sounds like you might want a 1-on-1 chat with the staff. Pay for it.
 
Last edited:
  • Like
Reactions: marcio79 and Lukas Moravek
tcabernoch said:
This is unhelpful. Get serious. Provide data.


cat /etc/proxmox-backup/datastore.cfg

df -h

zpool status

zfs list


...
Mmm. And consider immediately purchasing support for all of your PVE hosts and your backup server.
It sounds like you might want a 1-on-1 chat with the staff. Pay for it.
Click to expand...

I was not at work when I posted this. After speaking with an expert on the subject, we agreed there is no way to recover the encrypted chunks. Not all the chunks were touched, but enough were to make restoration impossible. This seems like a really weak spot as the other backup files were fine; just the chunks were encrypted.
 
SpyderVeloce said:
I was not at work when I posted this. After speaking with an expert on the subject, we agreed there is no way to recover the encrypted chunks. Not all the chunks were touched, but enough were to make restoration impossible. This seems like a really weak spot as the other backup files were fine; just the chunks were encrypted.
Click to expand...
no logs, no credibility.
 
You must log in or register to reply here.
Top Bottom