VMware Cloud Community
messilo
Contributor
Contributor

my virtual servers won't start

when i start the any VMs message displayed is Operation failed status :File APP.vmdk was not found

I was left this message textually in txt file on each VM:

>> What happened?

Important files on your network was ENCRYPTED and now they have "babyk" extension.In order to recover your files you need to follow instructions below.
Send 20 Monero to our Monero address. When your payment is successful. Send a screenshot of your payment to our email. We will send the decryption tool to you.

Monero address:47EmNGDtUo4ZURK6dAQjRWSb3pxeZq3DR3eNPTYuRMpygDqpdt7QNJme7CwHDZsgXDe5vF2rAbwRzMz7czsFv7paNXttMRo
Mail:UcfVgXj2XWXb3z@cyberfear.com

>> CAUTION

DO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.

Here is the capture of the files of a VMs

messilo_0-1669407753162.png

Can help me thank you

 

 

 

Reply
0 Kudos
6 Replies
scott28tt
VMware Employee
VMware Employee

Which VMware product are you using?

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
a_p_
Leadership
Leadership

You've unfortunately been hacked, and the files have been encrypted, so there's nothing anyone here in the communities can do for you.

In case you're running the environment in a company, consult your security, and or legal department on how to proceed!

What might also be a good idea, is to take the host offline (or isolate it in the network), so that the malware cannot spread further.

In case of a private environment, you may consider to ensure that all other systems are clean, then reinstall the ESXi host, and restore the VM's from your current backup.

André

Reply
0 Kudos
Kinnison
Commander
Commander

Hi,


Honestly, it seems irrelevant to me which VMware product is used also because it seems to me that help is being asked to recover encrypted data as a result of a ransonware attack which, obviously in my humble opinion, it's never "just a child of bad luck".


Regards,
Ferdinando

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee

It was relevant in terms of which area of the Communities your post resides in, that is the only reason I asked.

Seems like a moderator moved it to the area for ESXi.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
Kinnison
Commander
Commander

@scott28tt, good morning,


I'm not at all arguing that you asked which product the user's question was referring to, I only said that the user's question doesn't address any specific VMware product.


Regards,
Ferdinando

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee

Posts should be in the area for the relevant product so they are seen by the best audience of others who might be able to help.

I can’t remember exactly which area of the Communities this post was created in, but it wasn’t the best area.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos