We have been hit by ransomware and need to restore from immutable backup.
Immutable backups (object lock, Veeam hardened repository, tape) only help if you also know the restore procedure and have a clean landing zone. Isolate first, then restore, not the other way round.
Try this first
- 1Disconnect the infected environment from the network, including backup paths. The backup server is a primary target, so verify it is clean before restoring anything.
- 2Build a clean restore bubble: new VLAN or isolated host with fresh hypervisor and OS, no connection to production AD or the internet.
- 3Identify the last clean backup: check the modify times on .vbk/.vib, compare with the encryption moment, take a week's margin.
- 4Restore the domain controller and core infrastructure first, scan restored VMs with an EDR before exposing them, reset all passwords and rotate KRBTGT twice with an interval.
- 5Only then bring back user VMs and data step by step, prioritised by the business: what must run tomorrow, what can wait a week.
When to bring us in
With ransomware always notify the Dutch DPA (data breach) and the police. A specialised DFIR firm prevents mistakes, even at cost. Do not negotiate with attackers yourself.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.