have you ever seen something like that ? Any idea how to solve the problem ?
Looks like SRVERP has the virus not ESXi. Do you have backups of said server? If so, restore SRVERP from backups.
Yep, that's your guest virtual machine that has been infected not ESXi.
Did you create the virtual machine called x911@scryptmail.com? If not, did your ESXi host have any direct access from the the internet, such as SSH?
no ssh, and no internet access, found the vm host as seen on the picture, send an email to them and said full disk encryption (20 bitcoins) to send the password, any other ideas how to decrypt them ?
Well, if it really is a fully encrypted disk, the you might be out of luck unless can get a decryption key...
My hope is they somehow got root access to your host and simply swapped out your original VM with the one prompting for the password (I suspect they got root access somehow due to the newly created VM being there...). This is kindof your best-case scenario at the moment. If they do get the payment they might just swap out the VMs back to their original state, which would be a lot easier/faster than doing full disk encryption/decryption from their part. If that's the case, maybe you can do the same thing without having to pay the ransom...
What you can do is:
Hi, my HP Proliant server have also this hdd encryption this week on monday morning.
encrypt files type *.DBF, *.PDF and ask to send email to x911@scryptmail.com
can you decrypt these files ?