1

My ESXI server was running from a USB stick that got corrupted and as a result prevented my server from booting. I fixed this by reinstalling ESXI on a new memory stick and began re-adding all of my VMs.

However when I try to start them up it is saying that it cannot find the VMDK file, and it appears to have added a suffix of .lock4 to all files in all of my VM folders.

I've tried removing the lock4 suffix, but this does not seem to help.

I've been sitting in a freezing cold server room for 5hrs now, so any help is really appreciated :)

mail1-uk.server.com-aux.xml mail1-uk.server.com.vmx vmware-2.log.lock4 vmware-5.log.lock4 mail1-uk.server.com-flat.vmdk mail1-uk.server.com.vmxf vmware-3.log vmware.log mail1-uk.server.com.nvram vmware-1.log vmware-3.log.lock4 vmware.log.lock4 mail1-uk.server.com.vmdk.lock4 vmware-1.log.lock4 vmware-4.log vmx-mail1-uk.server.com-3109620673-1.vswp

ewwhite
  • 197,159
  • 92
  • 443
  • 809
jim
  • 19
  • 2

1 Answers1

4

You've been hit with a VMware ESXi variant of ransomware. Your VMware datastore's contents have been encrypted. The attacker likely got into your system via ESXi SSH.

There may be a ransom note in the top level of the datastore. Look for a "Readme" text file

See: https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

ewwhite
  • 197,159
  • 92
  • 443
  • 809