SBS 2011 MAJOR issue with Hard Disks

At 2 o'clock this afternoon A client rang to say they could no longer access exchange or there shared data.
Logging into the machine EVERY drive on the server NOT the main disk was empty. Not just not showing up but there, labelled correctly and showing correct TOTAL space but not a single piece of info on them.
C: -Windows - Standalone SSD- Running fine
D:- Exchange- External DAS running off a SIL3121 SATA Raid is empty
E: WSUS- Empty- As above
F: Archive-Empty as above
G: - Storage Craft Backup - Internal Intel Raid - Empty
F: DATA- secondary External DAS totally separate to the 1st one (2 separate boxes)

One could look at the SIL raid card but the fact that a totally separate intel internal raid has done the same and the disks are showing up says to me it is not that

I cannot find a single reason in the event log for anything to have happened. No windows updates or driver updates have been run.
The only suspicious thing was that someone had logged on locally to the machine yesterday (it is not used and sits in a cupboard) as a generic user and there was a Russian Google Chrome installed. On the desktop was a program folder called Clearlogs.V1 with an exe file under Clearlogs. This seemed to have been download 2 years ago but the folder it sits in shows it was edited at the same time everything seems to have stopped today.

Does anyone have any ideas at all because I am totally lost and with no backups available the company of 30 users is screwed!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
At this point I'd shut down the server and send the hard drives to data recovery.  Could you possibly find something yourself?  Sure... but you could also easily destroy any possibility they may still have to get their data back.

I would then work with them on a plan to setup REAL backups that include OFF-SITE and rotating media.
Cliff GaliherCommented:
Russian Google Chrome, eh?  I think you know what happened, but if you want validation, yeah, you got compromised and someone either intentionally or inadvertently wiped the data.  

No backups?  Ouch.  Depending on who did the damage, you *might* be able to recover data from the drives (after all the labels and partitions sound intact) but in all likelihood, with the way modern malware and crypto attacks work, I'm betting...gone.

No backups, no options really. Hard lesson for them to learn.
Chrome or Chromium?
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

I would create a sandbox virtual machine, copy that clearlogs program to it, and run it.  If it blows things away, you have verification.  

As for data being lost, one could tell with the right software if the disk was programmatically locked; reformatted at block level; partitioning changed or destroyed; sanitized; subjected do a denial of service attack in one of many ways; resized programmatically to tiny capacity ...

So many ways to do evil things, and if I gave techniques to determine some of these methodologies, i'd just be teaching people about exploits that they can then use themselves for nefarious reasons.
(But i would hook up one of the disks to a linux box, and enter cat strings /dev/sdb  (or whatever device name one of the disk show).  If you see chunks of text that make sense then chances are good they used a method easily recovered from.    If you see nothing, or get error messages, then the error messages will provide a clue.

Bottom line, your customer is going to be paying the big bucks to a data recovery company, and somebody needs to sell them a disaster recovery / backup plan.  I'd stay out of it personally, this is out of your realm.  You do NOT want the liability making things worse by trying something that could change state.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I would also advise them to get law enforcement involved and have company management think about any IT people that recently left the company under less than favorable conditions.

If this is a ransomware attack, then the good news is maybe the extortionist sent an email asking for a few thousand dollars and it is in a junk folder.
RicheyyyAuthor Commented:
That's the problem they had a data recovery setup with local and remote backup but the local was formatted/deleted and the remote was removed via the program as it has a safety guard in it to do so
All in all they have been royally f@&ked by someone who knew the system. Strange thing is they have had no acrimonious departures and the way they got in is not by accident. Very very odd
Only one backup?  Sad.
Well even if you format,if they didn't run a one and zero write to every sector,the data may be recoverable in house.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Backups should include OFFLINE copies that aren't more than a few days or a week old.  Having a "remote" backup that is an externally attached hard drive is not a "remote" backup.  It's still local.  Replication is NOT backup - it's Disaster Recovery.
... and one needs both backup copies and archive copies.   Archives imply offsite, long-term, disaster recovery copies for situations as the customer experienced.   They are also for fire, flood, tornados, and the situation your customer experienced.

Never have one copy, nothing is infallible.
correction, Cliff's post ID: 41739994 suggested this first, he deserves the points.
Author confirmed problem was not hardware, it was due to a hacker as suggested by this post
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.