VMware Cloud Community
JD01
Contributor
Contributor
‎03-12-2018 07:47 AM

ESXi hacked by ransome-software

Hey,

we got a problem, Is seems as if our ESXI hs been hacked through rdp. The host contains of two terminal Server which can't be started anymore. following message ist displayed: to decrypt contact falcons@cryptmail.com   enter password:

Is this a known situation or is it possible to decrypt vm-files?

Kind regards

Jürgen Dankow

0 Kudos
4 Replies
SCMHenry
Enthusiast
Enthusiast
‎03-12-2018 08:29 AM

Do you mean that two "terminal server" virtual machines have been compromised, or are you suggesting that the ESXi hypervisor itself has been compromised?

If , as I suspect, you are referring to two Windows virtual machines, then your course of action would be the same as if you were dealing with two corrupted physical Windows machines.

Unless you have a known good "snapshot" of either virtual machine hat you may be able to revert to, ESXi will not likely be a factor in your recovery process.

0 Kudos
JD01
Contributor
Contributor
‎03-12-2018 08:44 AM

Sorry, no totally corect. Is's one Terminals Server and one File Server.

But it's right, that the vmdk-Files are compromised. The above mentioned message appears when I try to start the VM. The hypervisor itself seems to be okay. I can start it and work in it. But I definetly do not know what's in the system.

The attack was so strong that even on a Synology Nas the DSM has been destroyed. At the time of the attack no PC was startet - only the VM host and the Synology Nas has been on.

Unfortunately the NAS contains the most actual Backups.

I've never seen such an attack before. Even our Antivirus Partner seems to be suprised.

0 Kudos
daphnissov
Immortal
Immortal
‎03-12-2018 10:05 AM

So ESXi wasn't compromised, your VMs were as well as your backups. I hope you have off-site backups because that's going to be your only option at this point.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
Temkaorkhon
Contributor
Contributor
‎01-16-2020 09:13 PM

Hello Mate,

I hope your doing well, I am experiencing very similar issue and all my Windows VMs are encrypted. I would like to know that how did you survive this situation? because all my backups are gone too even i backed them up on cloud.

0 Kudos