We are running ESXi Version 6 and the primary datastore is iSCSI located on a Synology 1517+ as RAID 1
The vSphere reported all VMs as unknown although the iSCSI datastores were still connected.
We removed the disks from the Synology and inspected them with UFS Explorer on Win10 machine.
The VMFS partitions had been converted to FAT16 ENCRYPTED containing a README.TXT file 'All your files have been encrypted! Send bitcoins etc, etc ..'
Has anyone else come across this problem and does anyone know of any decryption possibilities?
Thanks in advance
Hi,
some ideas
ESXi Free 6.5 VM files attacked by encryption ransomware
Alessandro Romeo
It is interesting to note that the ransomware has attacked the files on the VMFS partition which is another step on from attacking NTFS and EXT4 partitions in Windows and Linux respectively. Clearly this ransomware understands more that just Windows ...
The difference between this problem and mine is that here, the ransomware has encrypted the files on the VMFS partition whereas in my case the ransomware has encrypted the VNFS partition itself (it has been operating at the disk level).
Are you still investigating this problem ?
I would like to know how you verified that the complete VMFS-volumes has been encrypted.
A VMFS-volume often looks damaged beyond repair at first sight - but to make a volume look like that just zeroing a single MB at the right location is enough.
Anyway - if you want a second opinion - send a header-dump like I described here:
Create a VMFS-Header-dump using an ESXi-Host in production | VM-Sickbay
Ulli
Hi continuum,
Thank you for your reply. I'm sorry for the delay in responding but I am still interested in this problem.
Firstly, the answer to your question; The attached image shows the disk data as viewed with UFS Explorer. The message is one I have seen before on Windows file systems after a ransomware attack. This is the only way that I have ascertained that it is the result of ransomware.
I am unable to do a production header dump because the system was put back online using backups shortly after the attack. What I have is one of the disks from each of the two mirrors on the NAS. The UFS Explorer image shows, in the left pane:-
The partitions on Drive 1 (and this is normal for this NAS with an iSCSI Target from the ESXi) are:-
On Disk 2 the partitions (which should be the same as Disk 1) are:-
The ransomware has clearly changed the partition type to FAT (16???) and written it's little message there in the disk header. There is data on this disk which I would like to recover and, before making any move to do so, I would like to get the best advice I can. I do have experience of data recovery from NTFS and FAT partitions but never with VMFS. I have never tried reversing the work of ransomware either. I also recognise that the partition headers could have been overwritten and recovery (with the right knowledge) could be simple, which is why I act as I do. I never use complex RAID systems only mirrors and the reason is that data recovery is soooo much simpler with half a mirror-set. When ever I have a problem like this I always put half the mirrors to one side so that I can review them later.
I would greatly appreciate any comments and assistance.
Regards
John Platt
My two cents would be to contact someone like kroll ontrack data recovery
Hi John
you gave us nothing to work with - looks like you forgot to attach the promised images ...
Ulli
Hi John
sorry for late reply - spend the last 5 days in bed cureing a flu ...
Did you have a closer look on the VMFS that now looks like encrypted Fat ?
The Fat partition may have a limited range -but to make it impossible to detect it as VMFS only a very small area needs to be modified. The actual vmdk-data later in the volume may not be touched at all.
Ulli
Hello Ulli,
Thanks for the reply.
Yes it could be simple to restore it, but ...
I just thought I would gather as much info as I could before committing to a hex editor.
Do you know of a good source of documentation for the VMFS file system?
John