I recently got involved with a GlobeImposter 2 infection on a Hyper-V cluster - whereby the host computers on the cluster were infected, including all of the Virtual Hard Drive (VHD) files for their virtual machines, but none of the actual virtual machines appear infected. Most of their backups were offsite, so other than the hassle of the restore, everything is "OK". However, this has got me with two questions I cannot seem to Google:
1. GlobeImposter 2 appears to mostly infect / encrypt the first few MB of a file and then move on. Is that true? If so, in this particular case, would any of the available VHD repair tools be able to help out? From our purpose, this is essentially a corrupt virtual hard drive at this point.
2. There is some concern that data may have been sent to attackers. This is over 16TB of virtual hard drives. Does GlobeImposter 2 send data offsite? It appears to "just" infect and corrupt locally.
Thanks so much!