2 Replies Latest reply on Feb 13, 2020 12:47 PM by AlessandroRomeo68

    Vmdk file ryuk ransomware

    Mohammadnehme1 Lurker


      I would appreciate it if anyone can help

      I have a virtual machine on a vmware player 12 my data got hit by a ransomware ryuk and the vmdk file was encrypted .ryk extension added and all data for the virtual machine profile was deleted.


      I was wondering if anyone has any idea about recovering the vmdk file.

      I read something about recreating the virtual  machine disk discriptor file using esxi host.

      If anyone can help me if this can or might work or worth trying

      Note that I have a copy of vmdk file same machine and  a copy of the virtual machine configuration if this might help (backed up years ago).


      Appreciate your help


      Thank you

        • 1. Re: Vmdk file ryuk ransomware
          a.p. Guru
          vExpertUser ModeratorsCommunity Warriors

          Welcome to the Community,


          If the .vmdk data file has been encrypted, then there's no way to use it anymore, like other encrypted files. A new descriptor file won't help, since it basically only described a .vmdk's size geometry, and has nothing to do with the user data.

          I'm afraid that the only way to get the VM up and running is to restore the files from the old backup.



          • 2. Re: Vmdk file ryuk ransomware
            AlessandroRomeo68 Master



            recovering the encrypted one is very difficult. If you have a copy of the vmdk file it becomes easier. You have to create a new virtual machine, without HDD. So in the edit settings add a new hdd from an existing file and hook your vmdk. turn on vm and it must work.