Question
-
CreatorTopic
-
August 29, 2019 at 2:00 pm #2145055
VMware Server Infected with Ransomware
by sagilbert47201 · about 5 years, 2 months ago
Tags: Security
We have a VMware Backup server setup on a Synology. Our Domain Controller got infected and the Synology was hooked up directly to the domain controller and looks like it got infected too.
I have done some research on these .harma files and it looks to be ransomware so the only solution for data recovery would be to restore from a backup. However, the backup was on the Synology that was hooked up directly to the domain controller. I guess I am trying to look for maybe some other solutions on getting the data back?
Thank you for your help!
-
CreatorTopic
All Answers
-
AuthorReplies
-
-
August 29, 2019 at 11:42 pm #2423278
Have you tried the following decryptor?
by canivari · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
-
August 30, 2019 at 7:46 am #2423274
Run a scan for Malware
by roncloudgeek · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
I’ll run a scan with MalwareBytes to see if I could quarantine this ransomware infection completely.
If not then restore from a backup. -
August 30, 2019 at 4:19 pm #2423266
Snapshots
by vladoh · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
Your in bad luck and bad practice. You can try on Synology to see if you have enabled snapshots. You can then recover files from snapshots. If not you can try with shadowexplorer, to try to recover from shadow copy in Windows, if not wiped by ransomware.
-
August 30, 2019 at 9:56 pm #2423262
Snapshots
by gavin.swift · about 5 years, 2 months ago
In reply to Snapshots
This was going to be my suggestion as well.
Depending on the ransomware most wipe shadow copies, storage snapshots are the most reliable way of quickly and cleanly restoring if they’re enabled. Although you’re likely to have work to do on your DC to get it working again depending on the age of the snapshots at least you’ll have a clean starting point.
-
-
August 30, 2019 at 9:50 pm #2423263
Decryptor
by jeffokada · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
You can try the Trend micro decryptor tool. Hope it’s on the list. It will detect what ransomware version you have.
-
August 31, 2019 at 8:55 am #2423261
Good and bad news….
by mkomac · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
Hi, I assume that you have used Veeam B&R (payed or free edition) to backup VMs from ESX… So there are good and bad news. Good news is that you hypervisor is not infected as it is based on linux basis, bad news is that you domain controller, backup server and possible all VMs are infected with Dharma based ransomware. Unfortunately, Harma is undecryptable ransomware and no tools are capable of cracking the encryption and restoring data free of charge. The only solution is to restore everything from a backup, if one has been created.
So there are 2 possibilities: pay ransom and get keys to decrypt files, or if you are lucky you will get files restored from your backup. Catch is that your synology NAS and all backups on it are also crypted with ransomware (you will see .harma on the on files) so in that situation, it only helps if you have set up synology file versoning and snapshots…. If you dont have that… Then back to step one, pay the ransom…. Or start building everything from 0….
Advice make always min 3 copies of data on 2 types of media (like nas and tape) and 1 copy of data needs to be offline (not connected to network)… That is 3-2-1 rule that also veeam is recommending to be used. So you need definitely to change way who your are doing backups to prevent this kind of situations. My recommendation … Use all posibilities of synology nas (replication, snapshots and file versoning) and include also some kind of tape backup as it is one of types of medium that is basically offline nad ransomware virus can’t touch it … I hope I have help somehow. Please be free to ask if you have some additional question. BR. MK -
August 31, 2019 at 11:53 am #2423259
Just rebuild…
by rootmybox · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
I don’t understand the problem. Decomm the DC and build a new one. Then delete all of the backups. If you have more than one (and I hope you do) DC the new one will sync from the old one. DCs aren’t as sensitive as people think.
-
August 31, 2019 at 12:02 pm #2423258
DC is not a problem…. Everything other is…
by mkomac · about 5 years, 2 months ago
In reply to Just rebuild…
DC is not a problem, new can be deployed very quickly…. Problem is that the ransomware virus took probably credentials of elevated users and with them spread to other servers and workstations and crypted all files on them). In that case only solution is if it is possible to get from backupa all VM servers and to rebuild from 0 all workstations / desktop / laptops… So every equipment that had been in domain is affected. He have also issue that backups also locked…. So worst case scenario is to make everything from 0, and to lost of data that was infected…..
-
-
August 31, 2019 at 4:38 pm #2423256
Decrypt tools and Shadow explorer
by mdelorenze · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
Hopefully, you have already quarantined the machine and even suspected ones at this point to stop further spreading. You can try decryption tools as most have suggested, honestly I have had little to no success using these up against ransomeware. Shadow explorer is the absolute best chance of recovery. You should be prepared, however, that this isn’t always possible. Best case scenario, you have multiple backup servers on and off site and you ALWAYS should have these available for times such as this. Good luck!
-
September 6, 2019 at 2:33 pm #2423178
Ransomeware recovery
by riasmajeed156013610 · about 5 years, 2 months ago
In reply to VMware Server Infected with Ransomware
Dear Sagil,
There is compnay named Proven Data based in Canada. They maybe able to help you recover your data.
Riasmajeed
-
-
AuthorReplies