Hello everyone! Is there a decryption tool available for Medusa ransomware? My server has been attacked, and I urgently need help to recover my data. Any tips or solutions would be greatly appreciated! Thank you!
Medusa Ransomware Decryptor Help
- Thread starter joe smith89
- Start date
-
- Tags
- decryptors medusa ramsomware
Hello Joe,
I'm pretty new to the forum, but I've been in the Security Industry for 16 years, specializing in IPS/IDS and EDR and FW and SandBox . Based on my experience, here is my advice:
I don't think the Proxmox team has a decryption tool for Medusa ransomware.
You have better restore the backup that was not affected by the Medusa ransomware attack. After restoring the backup, it's advisable to isolate the target server, such as the Windows server(VM) or Linux server. You need to investigate the machine before reconnecting it to your network. Ensure all security patches are up to date and consider implementing additional security measures, such as network segmentation and enhanced monitoring.
If the Proxmox Backup Server itself is hit by a Medusa attack, I believe the only option is to restore the backup of the Proxmox Backup Server itself.
However, I couldn't find specific instructions on how to back up and restore the Proxmox Backup Server itself in the manual:
https://pbs.proxmox.com/docs/
Hopefully, someone will reach out with more information!
Hope this helps.
Respectfully,
Seiji
I'm pretty new to the forum, but I've been in the Security Industry for 16 years, specializing in IPS/IDS and EDR and FW and SandBox . Based on my experience, here is my advice:
I don't think the Proxmox team has a decryption tool for Medusa ransomware.
You have better restore the backup that was not affected by the Medusa ransomware attack. After restoring the backup, it's advisable to isolate the target server, such as the Windows server(VM) or Linux server. You need to investigate the machine before reconnecting it to your network. Ensure all security patches are up to date and consider implementing additional security measures, such as network segmentation and enhanced monitoring.
If the Proxmox Backup Server itself is hit by a Medusa attack, I believe the only option is to restore the backup of the Proxmox Backup Server itself.
However, I couldn't find specific instructions on how to back up and restore the Proxmox Backup Server itself in the manual:
https://pbs.proxmox.com/docs/
Hopefully, someone will reach out with more information!
Hope this helps.
Respectfully,
Seiji
Last edited:
I am curious , how did all the backups get deleted?
I don't know but we didn't have offline backups unfortunately, the ransomware deleted some of the backups and some are encrypted.
One would use the proxmox-backup-client ( described in the docs) or any other backup Tool for Linux. I would use a different Tool because otherwise I would need a running PBS to restore PBS-> Chicken egg Situation.
I wondered too and googled medua ransomware. If I understood everything correct the ransomware main attack occurs via phishing and RDP.
I wonder though, what Medusa Ransomware has to do with Proxmox Backup Server expect that if one would setup PBS in the way recommended in the chapter on Ransomware protection it's more likely a ransomware wouldn't detroy the backups. This clearly wasn't the case here.
How did they gain access?
What rights were set up from PVE to PBS?
Were all your systems patched?
Finally i got help from a ransomware recovery company named as https://decryptors.org
I found them through Youtube.
Thanks guys for your guide
I found them through Youtube.
Thanks guys for your guide
Last edited:
Last edited:
septic about OP, no reply to questions, no technical infos, no entry point details, no backups answers...
This is one of the reasons why you have another PBS server that you sync from the primary PBS. The secondary PBS should be very restrictive on who have access.
Another tip is don't use root on PBS for PVE to access. Create a new PBS account with restrictive permissions that PVE can use to create backups only and not delete anything. PBS can prune those on a schedule.
I know this post won't help the OP but it's something to think about in terms of security.
Another tip is don't use root on PBS for PVE to access. Create a new PBS account with restrictive permissions that PVE can use to create backups only and not delete anything. PBS can prune those on a schedule.
I know this post won't help the OP but it's something to think about in terms of security.
I don't think, it's even PBS/PVE related at all.
Last edited: