Hey everyone! So, we recently took over a client's IT infrastructure after they suffered a ransomware attack back in April. All of their servers went offline, and they couldn't access their files. They found a 'HowToRestoreYourFiles.txt' in every directory of their VMware ESXi datastores. Now, we've rebuilt the entire infrastructure in the cloud, but I've got these Dell PowerEdge R740 servers that still have the original files on them. The problem is, the .vmdk files are encrypted with a .vmdk.emario extension. Is there any way to recover these files or the original VMs? They've lost a lot of crucial data that was only stored locally without backups, and while there was an on-site backup, the hackers wiped out the NAS. If you have any questions, feel free to ask!
5 Answers
Honestly, if the data is worth a lot to the company, it might be best to consult data recovery specialists who know about ransomware recovery. On your own, there’s usually not much that can be done if the backups are gone.
Some cryptolockers only encrypt the descriptor file and leave the actual data intact. If that’s the case, you might be able to reconstruct the descriptor file manually and regain access to your data. I faced a similar issue, but unfortunately, one of the key servers had unfixable snapshots.
So, no backups and you're just transferring compromised files to a new setup? Honestly, it's a rough spot, and you might want to reconsider your approach.
I'm not copying any files; the servers are completely offline now. I just booted into a live Linux Mint to check for files.
Welcome to the nightmare! Without offsite or offline backups, recovery options are pretty much gone. A solid disaster recovery plan is crucial for anyone handling critical infrastructure. It's essential to ask what you would do if a fire, flood, or some other disaster strikes.
At least now they have a backup in a separate datacenter! That’s a good improvement from their previous setup that had no plan whatsoever.
What kind of malware was used in this attack? There might be a decryption tool available for it, depending on the specifics.
They just came out of bankruptcy, so they can't afford to pay the hackers or specialists for recovery. But this situation should definitely make them rethink their IT budgeting! At least now they’ve updated everything to Windows 11 and set up separate VLANs.