soulvoid86
Contributor
Contributor

Rebuilding VMDK descriptor file

Let me start by saying I am not experienced with VMware beyond the workstation application. I only use it for very simple VMs for testing/self education.

I have a personal file server that I had two VMs running on in Workstation 12. Long story short, I was infected by a cryptolock via an RDP brute force attack. This was even able to reach my backups on a separate machine, but it didn't harm the VMs VHD's. When I found the infection, my 2 VMs were still running and perfectly intact. It did manage to encrypt my VMDK descriptor file though, along with my VMX file.

I've gotten to the point of creating a new VMDK descriptor by making a new VM and moving that file to the VHD folder. I know it's not that simple and that I need to configure the descriptor to match the existing disk. I believe my issue is that the UUID doesn't match. I noticed when editing the descriptor in notepad++ that the UUID and longContentID change per disk, so I can only assume that's the missing information I need.

I'm not trying to get the existing VM to run, I'm going to rebuild them, but I want to at least get my DB files off the VHD if possible. Otherwise, I've lost a few years of work..

Hard lesson learned about password strength.. I thought I was being safe enough, but apparently not. (I was targeted for my bitcoin wallet, which was thankfully empty.. I was only trying some new programs on the host, but that was enough for be targeted..)

Thanks in advanced!

0 Kudos
3 Replies
continuum
Immortal
Immortal

>> It did manage to encrypt my VMDK descriptor file though, along with my VMX file.
Then it is probably impossible to rebuild the descriptors.
For unencrypted vmdks creating descriptors is easy - see my notes

VMDK-Handbook-Basics


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos
soulvoid86
Contributor
Contributor

I just checked and I'm out of luck with the log files. They're where they're supposed to be, however, all but the main log file have been encrypted. And the main log files don't contain the data we're looking for, only the last approx. 3 minutes before they were shutdown, which mostly consisted of errors because files were missing.

0 Kudos
soulvoid86
Contributor
Contributor

Just wondering if there might be anything else I can do. I imagine there has to be a way to get this information from the part files for the VHD.

0 Kudos