Skip to Content

How to Rebuild (Recover) VMware vSphere After A Ransomware Attack

Ransomware actors are targeting VMware vSphere environments. Are you ready to recover?

Notice I do not call this a VMware vSphere ransomware recovery operation, this is a rebuild operation if we are talking on prem. If vSphere has been compromised it is ALL TRASH. Throw it all away and start over.

I am also working on a longer form e-book on VMware ransomware which I hope to release soon.

What to do RIGHT NOW

The time is NOW to start planning for rebuilding from a ransomware attack.

FIRST BACK UP YOUR VMs! While we are going to focus on your vSphere infrastructure, if you do not have VM backups it does not matter at the end of the day.

Read these blog posts to understand a little bit more about what you are up against.

You need to have a basic understanding of how VMware vSphere is currently configured so you can document the settings when you need them later.

If you have vSphere Enterprise Plus licensing:

  • Create & Export host profile configuration
  • Export distributed virtual switch configuration

If you do not have vSphere Enterprise Plus

  • Document ESXi host settings

Our goal is to fully automate ESXi builds & configurations (this takes time and effort, I know, we are going to break it down over time).

Stay tuned.

Consider a vSphere Rescue Cluster.

What is a vSphere Rescue Cluster?

A rescue vSphere cluster is a two or more node vSphere cluster meant for rescue operations for your complete environment. It should REMAIN OFF AND UNPLUGGED except for patching operations. Yes, I am overly paranoid.

If you are choosing to replicate critical VMs, it should be DISCONNECTED FROM THE NETWORK when replication has finished.

What should you have in your Rescue Cluster?

  • vCenter
  • AD/DNS
  • Supporting infrastructure for ESXi rebuilds based on method
  • Software images needed
  • Needed software for VM level recovery
  • Stay tuned for more

VMware Cloud Rescue Host/Cluster

Now is a great time to consider a host or small cluster in your favorite VMware Cloud as your rescue cluster. Yes, you read that right, and we all know I hate the cloud.

Why? Simple. If law enforcement quarantines your Prod and DR on prem environments, you still need a place to recover to.

Be sure to have a copy of your backup data in your cloud of choice.

After the attack, scale your cluster.

What Happens During a Ransomware Attack for VMware Administrators

You as the VMware administrator are not alone. You will be working closely with various other teams such as your data protection/backup team and the security incident response teams.

Incident response teams may be in house, or your organization may hire a team to help.

The scope of the incident will need to be determined before you can begin your rebuild and recovery operations.

Disaster Day is Here

Let’s walk through what is going to happen after a ransomware attack, and what you will need to recover.

Question 1: Do You Have Anything?

No, nothing.

Format ESXi hosts, manually reinstall ESXi software. You need to get two ESXi hosts installed before you do anything else, and cluster them.

  • Deploy vCenter
  • Deploy VM recovery software
  • Begin VM recovery as you continue to re-build vSphere envoronment.

Yes, vMiss, we have a rescue cluster.

Begin additional host rebuilds. Initiate VM recovery as instructed by incident response teams.

We have a VMC Rescue Cluster

Begin to scale your cluster, so that you will have space for VM recovery.

Stay tuned for more…


This document is a work in progress. Please sign up so I can e-mail you when I have made significant changes.

    We won’t send you spam. Unsubscribe at any time.