VMware Cloud Community
ReddeNet
Contributor
Contributor

Ransomware and VMFS

We are running ESXi Version 6 and the primary datastore is iSCSI located on a Synology 1517+ as RAID 1

The vSphere reported all VMs as unknown although the iSCSI datastores were still connected.

We removed the disks from the Synology and inspected them with UFS Explorer on Win10 machine.

The VMFS partitions had been converted to FAT16 ENCRYPTED containing  a README.TXT file 'All your files have been encrypted!  Send bitcoins  etc, etc ..'

Has anyone else come across this problem and does anyone know of any decryption possibilities?

Thanks in advance

Reply
0 Kudos
10 Replies
Alex_Romeo
Leadership
Leadership

Hi,

some ideas

ESXi Free 6.5 VM files attacked by encryption ransomware

VMware Knowledge Base

Alessandro Romeo

Blog: https://www.aleadmin.it/
Reply
0 Kudos
ReddeNet
Contributor
Contributor

It is interesting to note that the ransomware has attacked the files on the VMFS partition which is another step on from attacking NTFS and EXT4 partitions in Windows and Linux respectively. Clearly this ransomware understands more that just Windows ...

The difference between this problem and mine is that here, the ransomware has encrypted the files on the VMFS partition whereas in my case the ransomware has encrypted the VNFS partition itself (it has been operating at the disk level).

Reply
0 Kudos
continuum
Immortal
Immortal

Are you still investigating this problem ?
I would like to know how you verified that the complete VMFS-volumes has been encrypted.
A VMFS-volume often looks damaged beyond repair at first sight  - but to make a volume look like that just zeroing a single MB at the right location is enough.
Anyway - if you want a second opinion - send a header-dump like I described here:
Create a VMFS-Header-dump using an ESXi-Host in production | VM-Sickbay

Ulli


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

ReddeNet
Contributor
Contributor

Hi continuum,

Thank you for your reply.  I'm sorry for the delay in responding but I am still interested in this problem.

Firstly, the answer to your question;  The attached image shows the disk data as viewed with UFS Explorer.  The message is one I have seen before on Windows file systems after a ransomware attack. This is the only way that I have ascertained that it is the result of ransomware.

I am unable to do a production header dump because the system was put back online using backups shortly after the attack.  What I have is one of the disks from each of the two mirrors on the NAS.  The UFS Explorer image shows, in the left pane:-

  • Drive 0:     The Windows system drive
  • Drive 1:     A broken mirror drive from the NAS Storage Pool 1
  • Drive 2:     A broken mirror drive from the NAS Storage Pool 2

The partitions on Drive 1 (and this is normal for this NAS with an iSCSI Target from the ESXi) are:-

  • Ext 2/3/4 with the NAS RAID data
  • The RAW partition
  • VMFS as created by ESXi 6.0

On Disk 2 the partitions (which should be the same as Disk 1) are:-

  • Ext 2/3/4 with the NAS RAID data
  • The RAW partition
  • FAT partition

The ransomware has clearly changed the partition type to FAT (16???) and written it's little message there in the disk header.  There is data on this disk which I would like to recover and, before making any move to do so, I would like to get the best advice I can.  I do have experience of data recovery from NTFS and FAT partitions but never with VMFS. I have never tried reversing the work of ransomware either.  I also recognise that the partition headers could have been overwritten and recovery (with the right knowledge) could be simple, which is why I act as I do.  I never use complex RAID systems only mirrors and the reason is that data recovery is soooo much simpler with half a mirror-set.  When ever I have a problem like this I always put half the mirrors to one side so that I can review them later.

I would greatly appreciate any comments and assistance.

Regards

John Platt

Reply
0 Kudos
rlund
Enthusiast
Enthusiast

My two cents would be to contact someone like kroll ontrack data recovery

Roger Lund Minnesota VMUG leader Blogger VMware and IT Evangelist My Blog: http://itblog.rogerlund.net & http://www.vbrainstorm.com
Reply
0 Kudos
continuum
Immortal
Immortal

Hi John
you gave us nothing to work with - looks like you forgot to attach the promised images ...

Ulli


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
ReddeNet
Contributor
Contributor

Thanks for the reply Ulli.

I don't know what happened there but I have definitely attached it this time.

Regards

John Platt

Reply
0 Kudos
continuum
Immortal
Immortal

Hi John
sorry for late reply - spend the last 5 days in bed cureing a flu ...
Did you have a closer look on the VMFS that now looks like encrypted Fat ?
The Fat partition may have a limited range -but to make it impossible to detect it as VMFS only a very small area needs to be modified. The actual vmdk-data later in the volume may not be touched at all.
Ulli


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
ReddeNet
Contributor
Contributor

Hello Ulli,

Thanks for the reply.

Yes it could be simple to restore it, but ...

I just thought I would gather as much info as I could before committing to a hex editor.

Do you know of a good source of documentation for the VMFS file system?

John

Reply
0 Kudos