ESXi Free 6.5 VM files attacked by encryption ransomware

Hi,

I have an Windows 2003 server with VMTools installed still running perfectly after an encryption ransomware attack.

Here is the directory structure after the attack:

    Directory: \\filer02\esxdata2\server2

Mode                LastWriteTime         Length Name                                                                 

----                -------------         ------ ----                                                                                                                       

------        5/09/2018     13:46     8589672726 server2-6449dc7a.vswp.id-3EF81AC7.[bolkemafetehia@aol.com].combo     

------        8/11/2018     22:59    42950459662 server2-flat.vmdk.id-3EF81AC7.[bolkemafetehia@aol.com].combo         

------        5/09/2018     13:46           8926 server2.nvram.id-3EF81AC7.[bolkemafetehia@aol.com].combo             

------        5/09/2018     13:47            908 server2.vmdk.id-3EF81AC7.[bolkemafetehia@aol.com].combo              

------       28/07/2018     15:05              0 server2.vmsd                                                         

-a----        5/09/2018     13:47           4170 server2.vmx.id-3EF81AC7.[bolkemafetehia@aol.com].combo               

------       28/07/2018     18:02              0 server2.vmx.lck                                                      

------        5/09/2018     13:47           3644 server2.vmxf.id-3EF81AC7.[bolkemafetehia@aol.com].combo              

------        8/11/2018     20:26    10597367058 server2_1-flat.vmdk.id-3EF81AC7.[bolkemafetehia@aol.com].combo       

------        5/09/2018     13:47            928 server2_1.vmdk.id-3EF81AC7.[bolkemafetehia@aol.com].combo            

------        8/11/2018     22:51    40812590354 server2_2-flat.vmdk.id-3EF81AC7.[bolkemafetehia@aol.com].combo       

------        5/09/2018     13:47            928 server2_2.vmdk.id-3EF81AC7.[bolkemafetehia@aol.com].combo            

------        5/09/2018     13:46         277692 vmware-1.log.id-3EF81AC7.[bolkemafetehia@aol.com].combo              

------        5/09/2018     13:46         591384 vmware.log.id-3EF81AC7.[bolkemafetehia@aol.com].combo                

------        5/09/2018     13:47      116130086 vmx-server2-1682562170-1.vswp.id-3EF81AC7.[bolkemafetehia@aol.com].combo

Now a test Windows 10 server which suffered the same fate did not restart after a guest reboot, so I'm going to assume the same will happen for server2.

How can I backup/migrate/whatever the running server2?

Keep in mind I am running using ESXi Free 6.5.

Could I use xsibackup which uses VMTools?

A free solution would be great but would getting an Essentials License for the ESXi 6.5 which would allow use of the backup APIs work?

From the above file list, you can see whilst all the critical files have been renamed, the flat files have current date stamps, so they probably aren't encrypted.

Consequently, it is trivial to just rename them. However you can see server2.vmdk, server2_1.vmdk, server2_2.vmdk all have date stamps from 5/09/2018 which are likely to be encrypted.

I have an old backup of a non-consolidated server2 from 2016 which would be ESXi 4.1. Could I use those .vmdk files?

I this is at all possible, I'll give more detail in a later response.

As the VM is still running, it seems reasonable to be able to migrate to a new VM with datastore files of integrity.

Thanks in advance.