Rellik

MegaLocker virus on .vdi files

Recommended Posts

One of our servers had a SAMBA share left open for reasons we are unclear of. Currently the VMs running on the machine are fine (seems to be in memory) but if they reboot the .vdi files are unusable. We do have backups but this would ofcourse result in alot of work reinstalling these servers.

I have tried the decrypt tool on some offline .vdi files but it will not work.

What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using NamPoHyu Virus.

What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
Your unique id: 6C95029F8EFD463899B724524B86F659

This is the ID on our files.

Share this post


Link to post
Share on other sites
On 8/17/2019 at 5:49 AM, Rellik said:

I have tried the decrypt tool on some offline .vdi files but it will not work.

That just means we don't have the key for your files in our database. In theory it might be possible for more to be added in the future, however there's no way to know if or when that will happen.

 

On 8/17/2019 at 5:49 AM, Rellik said:

One of our servers had a SAMBA share left open for reasons we are unclear of. Currently the VMs running on the machine are fine (seems to be in memory) but if they reboot the .vdi files are unusable. We do have backups but this would ofcourse result in alot of work reinstalling these servers.

In this case I think backups would be the best course of action. Outside of paying the ransom (which we prefer not to encourage) there's more than likely no way to recover the virtual drives. While it might sound reasonable to copy the data from the running VM's, keep in mind that your virtualization software can no longer read from the virtual disks, and thus it would fail to copy any data that was not already loaded into memory in the VM's.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.