Question

  • Creator
    Topic
  • #2145055

    VMware Server Infected with Ransomware

    by sagilbert47201 ·

    Tags: 

    We have a VMware Backup server setup on a Synology. Our Domain Controller got infected and the Synology was hooked up directly to the domain controller and looks like it got infected too.

    I have done some research on these .harma files and it looks to be ransomware so the only solution for data recovery would be to restore from a backup. However, the backup was on the Synology that was hooked up directly to the domain controller. I guess I am trying to look for maybe some other solutions on getting the data back?

    Thank you for your help!

You are posting a reply to: VMware Server Infected with Ransomware

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Answers

  • Author
    Replies
    • #2423278

      Have you tried the following decryptor?

      by canivari ·

      In reply to VMware Server Infected with Ransomware

    • #2423274

      Run a scan for Malware

      by roncloudgeek ·

      In reply to VMware Server Infected with Ransomware

      I’ll run a scan with MalwareBytes to see if I could quarantine this ransomware infection completely.
      If not then restore from a backup.

    • #2423266

      Snapshots

      by vladoh ·

      In reply to VMware Server Infected with Ransomware

      Your in bad luck and bad practice. You can try on Synology to see if you have enabled snapshots. You can then recover files from snapshots. If not you can try with shadowexplorer, to try to recover from shadow copy in Windows, if not wiped by ransomware.

      • #2423262

        Snapshots

        by gavin.swift ·

        In reply to Snapshots

        This was going to be my suggestion as well.
        Depending on the ransomware most wipe shadow copies, storage snapshots are the most reliable way of quickly and cleanly restoring if they’re enabled. Although you’re likely to have work to do on your DC to get it working again depending on the age of the snapshots at least you’ll have a clean starting point.

    • #2423263

      Decryptor

      by jeffokada ·

      In reply to VMware Server Infected with Ransomware

      You can try the Trend micro decryptor tool. Hope it’s on the list. It will detect what ransomware version you have.

    • #2423261

      Good and bad news….

      by mkomac ·

      In reply to VMware Server Infected with Ransomware

      Hi, I assume that you have used Veeam B&R (payed or free edition) to backup VMs from ESX… So there are good and bad news. Good news is that you hypervisor is not infected as it is based on linux basis, bad news is that you domain controller, backup server and possible all VMs are infected with Dharma based ransomware. Unfortunately, Harma is undecryptable ransomware and no tools are capable of cracking the encryption and restoring data free of charge. The only solution is to restore everything from a backup, if one has been created.
      So there are 2 possibilities: pay ransom and get keys to decrypt files, or if you are lucky you will get files restored from your backup. Catch is that your synology NAS and all backups on it are also crypted with ransomware (you will see .harma on the on files) so in that situation, it only helps if you have set up synology file versoning and snapshots…. If you dont have that… Then back to step one, pay the ransom…. Or start building everything from 0….
      Advice make always min 3 copies of data on 2 types of media (like nas and tape) and 1 copy of data needs to be offline (not connected to network)… That is 3-2-1 rule that also veeam is recommending to be used. So you need definitely to change way who your are doing backups to prevent this kind of situations. My recommendation … Use all posibilities of synology nas (replication, snapshots and file versoning) and include also some kind of tape backup as it is one of types of medium that is basically offline nad ransomware virus can’t touch it … I hope I have help somehow. Please be free to ask if you have some additional question. BR. MK

    • #2423259

      Just rebuild…

      by rootmybox ·

      In reply to VMware Server Infected with Ransomware

      I don’t understand the problem. Decomm the DC and build a new one. Then delete all of the backups. If you have more than one (and I hope you do) DC the new one will sync from the old one. DCs aren’t as sensitive as people think.

      • #2423258

        DC is not a problem…. Everything other is…

        by mkomac ·

        In reply to Just rebuild…

        DC is not a problem, new can be deployed very quickly…. Problem is that the ransomware virus took probably credentials of elevated users and with them spread to other servers and workstations and crypted all files on them). In that case only solution is if it is possible to get from backupa all VM servers and to rebuild from 0 all workstations / desktop / laptops… So every equipment that had been in domain is affected. He have also issue that backups also locked…. So worst case scenario is to make everything from 0, and to lost of data that was infected…..

    • #2423256

      Decrypt tools and Shadow explorer

      by mdelorenze ·

      In reply to VMware Server Infected with Ransomware

      Hopefully, you have already quarantined the machine and even suspected ones at this point to stop further spreading. You can try decryption tools as most have suggested, honestly I have had little to no success using these up against ransomeware. Shadow explorer is the absolute best chance of recovery. You should be prepared, however, that this isn’t always possible. Best case scenario, you have multiple backup servers on and off site and you ALWAYS should have these available for times such as this. Good luck!

    • #2423178

      Ransomeware recovery

      by riasmajeed156013610 ·

      In reply to VMware Server Infected with Ransomware

      Dear Sagil,

      There is compnay named Proven Data based in Canada. They maybe able to help you recover your data.

      Riasmajeed

Viewing 7 reply threads