In our staff meeting today the topic of recovering a database from a possible ransomware attack came up. The question of it even being possible to encrypt a mounted, in use database. Even if no activity is occurring, if it's mounted the files are locked and can't be modified outside of the instance. Right?
If it was possible, would a full backup of the database succeed if it was encrypted or would it be seen as corrupted. If I use SQL Server's encryption I can back up the database so does it leave out headers when encrypting? Bottom line, how "at risk" are my databases to Ransomware?
There is always possibility that ransomware will attack backup server, so things like offline media storage for backup are crucial (or cloud/vault storage).
If normal ransomware attacks data files, you will get access, checksum or TDE errors imminently. If the logs files are impacted, it should be found latest during the next log backup.
But in theory it is possible that ransomware will insert itself as a disk driver and decipher all reads on the fly till server restart or some specific point in time (like configuring BitLocker with the key stored somewhere accessible only for the ransomware creator).
In this scenario backup send directly to the cloud or separate backup server should still be valid, as long backup server is not impacted.