VMware Server Infected with Ransomware

By sagilbert47201 ·
We have a VMware Backup server setup on a Synology. Our Domain Controller got infected and the Synology was hooked up directly to the domain controller and looks like it got infected too.

I have done some research on these .harma files and it looks to be ransomware so the only solution for data recovery would be to restore from a backup. However, the backup was on the Synology that was hooked up directly to the domain controller. I guess I am trying to look for maybe some other solutions on getting the data back?

Thank you for your help!
Thread display: Collapse - | Expand +

All Answers

Collapse -

Run a scan for Malware

by RonCloudGeek In reply to VMware Server Infected wi ...

I'll run a scan with MalwareBytes to see if I could quarantine this ransomware infection completely.
If not then restore from a backup.

Collapse -


by Vladoh In reply to VMware Server Infected wi ...

Your in bad luck and bad practice. You can try on Synology to see if you have enabled snapshots. You can then recover files from snapshots. If not you can try with shadowexplorer, to try to recover from shadow copy in Windows, if not wiped by ransomware.

Collapse -


by gavin.swift In reply to Snapshots

This was going to be my suggestion as well.
Depending on the ransomware most wipe shadow copies, storage snapshots are the most reliable way of quickly and cleanly restoring if they're enabled. Although you're likely to have work to do on your DC to get it working again depending on the age of the snapshots at least you'll have a clean starting point.

Collapse -


by jeffokada In reply to VMware Server Infected wi ...

You can try the Trend micro decryptor tool. Hope it's on the list. It will detect what ransomware version you have.

Collapse -

Good and bad news....

by mkomac In reply to VMware Server Infected wi ...

Hi, I assume that you have used Veeam B&R (payed or free edition) to backup VMs from ESX... So there are good and bad news. Good news is that you hypervisor is not infected as it is based on linux basis, bad news is that you domain controller, backup server and possible all VMs are infected with Dharma based ransomware. Unfortunately, Harma is undecryptable ransomware and no tools are capable of cracking the encryption and restoring data free of charge. The only solution is to restore everything from a backup, if one has been created.
So there are 2 possibilities: pay ransom and get keys to decrypt files, or if you are lucky you will get files restored from your backup. Catch is that your synology NAS and all backups on it are also crypted with ransomware (you will see .harma on the on files) so in that situation, it only helps if you have set up synology file versoning and snapshots.... If you dont have that... Then back to step one, pay the ransom.... Or start building everything from 0....
Advice make always min 3 copies of data on 2 types of media (like nas and tape) and 1 copy of data needs to be offline (not connected to network)... That is 3-2-1 rule that also veeam is recommending to be used. So you need definitely to change way who your are doing backups to prevent this kind of situations. My recommendation ... Use all posibilities of synology nas (replication, snapshots and file versoning) and include also some kind of tape backup as it is one of types of medium that is basically offline nad ransomware virus can't touch it ... I hope I have help somehow. Please be free to ask if you have some additional question. BR. MK

Collapse -

Just rebuild...

by rootmybox In reply to VMware Server Infected wi ...

I don't understand the problem. Decomm the DC and build a new one. Then delete all of the backups. If you have more than one (and I hope you do) DC the new one will sync from the old one. DCs aren't as sensitive as people think.

Collapse -

DC is not a problem.... Everything other is...

by mkomac In reply to Just rebuild...

DC is not a problem, new can be deployed very quickly.... Problem is that the ransomware virus took probably credentials of elevated users and with them spread to other servers and workstations and crypted all files on them). In that case only solution is if it is possible to get from backupa all VM servers and to rebuild from 0 all workstations / desktop / laptops... So every equipment that had been in domain is affected. He have also issue that backups also locked.... So worst case scenario is to make everything from 0, and to lost of data that was infected.....

Collapse -

Decrypt tools and Shadow explorer

by mdelorenze In reply to VMware Server Infected wi ...

Hopefully, you have already quarantined the machine and even suspected ones at this point to stop further spreading. You can try decryption tools as most have suggested, honestly I have had little to no success using these up against ransomeware. Shadow explorer is the absolute best chance of recovery. You should be prepared, however, that this isn't always possible. Best case scenario, you have multiple backup servers on and off site and you ALWAYS should have these available for times such as this. Good luck!

Collapse -

Ransomeware recovery

Dear Sagil,

There is compnay named Proven Data based in Canada. They maybe able to help you recover your data.


Related Discussions

Related Forums