Vmdk file ryuk ransomware

Mohammadnehme1 · ‎02-13-2020

Hello.

I would appreciate it if anyone can help

I have a virtual machine on a vmware player 12 my data got hit by a ransomware ryuk and the vmdk file was encrypted .ryk extension added and all data for the virtual machine profile was deleted.

I was wondering if anyone has any idea about recovering the vmdk file.

I read something about recreating the virtual machine disk discriptor file using esxi host.

If anyone can help me if this can or might work or worth trying

Note that I have a copy of vmdk file same machine and a copy of the virtual machine configuration if this might help (backed up years ago).

Appreciate your help

Thank you

a_p_ · ‎02-13-2020

Welcome to the Community,

If the .vmdk data file has been encrypted, then there's no way to use it anymore, like other encrypted files. A new descriptor file won't help, since it basically only described a .vmdk's size geometry, and has nothing to do with the user data.

I'm afraid that the only way to get the VM up and running is to restore the files from the old backup.

André

Alex_Romeo · ‎02-13-2020

Hi,

recovering the encrypted one is very difficult. If you have a copy of the vmdk file it becomes easier. You have to create a new virtual machine, without HDD. So in the edit settings add a new hdd from an existing file and hook your vmdk. turn on vm and it must work.

ARomeo

Blog: https://www.aleadmin.it/

All

Vmdk file ryuk ransomware