New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ESXi Ransomware
greenhost_cloud
Member
in General
We have an old ESXi server that has been infected with ransomware, and the file extensions have been changed to .locker.
Does anyone have any knowledge about this ransomware?
Any information you could provide would be greatly appreciated.
Comments
Based on file extension it's likely Babuk based ransomware, but you should compare the ransomnote with the ones in this thread to be sure: https://www.bleepingcomputer.com/forums/t/754087/babukbabuk-locker-ransomware-babuk-babyk-doydo-support-topic/
No known decryptors available, so you might have to pay the ransom if you need the VMs back.
Babuk is old timer ransomware. I doubt that even malicious actor could decrypt. Usually skids playing around. Scanned > found > auto-infect. Sad, lack of competency and just pure lazzynes makes data go away
Assuming (a) the threat actor will actually decrypt if you pay them, and (b) they can decrypt. That link has people commenting that there are bugs in the Babuk code and they can't decrypt.
It appears that there is no solution available for this issue.
I can't definitively say that it is Babuk. There was another model in the past that could be used to extract VMDK files with specific solutions.
Unfortunately for this type there is almost none except restore from backup.
You can try some brute-force decrypt, but it might take ages even on ultra-high-end GPU's.
I understand your loss, we had our fair share of customers going thru this also, most only lost a few days or weeks of data, depending on the backup retention they had, we do have some that needed to re-do 15+ years of accounting
.
Be safe guys, use condom!