Well, if it really is a fully encrypted disk, the you might be out of luck unless can get a decryption key...
My hope is they somehow got root access to your host and simply swapped out your original VM with the one prompting for the password (I suspect they got root access somehow due to the newly created VM being there...). This is kindof your best-case scenario at the moment. If they do get the payment they might just swap out the VMs back to their original state, which would be a lot easier/faster than doing full disk encryption/decryption from their part. If that's the case, maybe you can do the same thing without having to pay the ransom...
What you can do is:
- Make full backups of everything before you do anything...
- Take a look at the VM configuration. Check to see what VMDKs the hard drives are pointing to.
- Check your datastore and see if there are other VMDKs that may be your original disks.
- Take a look at the newly created VM and see what it's configuration is... maybe there is some useful info/hints in there that can point to an undamaged disk...
- If you find something that looks like your original VMDKs that have been undamaged, you can try mounting them under a working Windows/Linux VM and see if there is any data on them.
- If you don't find any other VMDKs, you can try mounting the "encrypted" VMDKs in a Windows/Linux VM and see if you can see any data (maybe they just installed a boot loader and didn't encrypt the disk?).
- If you don't see any data, you can try running some data recovery software on the disk and see if it finds any files (this would be the case if the partition table was overwritten, but not a fully encrypted disk).
