frakman1 Posted June 12, 2020 Posted June 12, 2020 (edited) Some nasty ransomware got me. It encrypted the vdisk1.img file of an Ubuntu VM while that VM is still up. Is there any way to recover/recreate that file from a running VM (from RAM?) before it is restarted? Same thing with my Android VM. The compromise was from a windows PC on the network with an unsecured login. It had some UNRAID folders shared through SAMBA so that's how the vdisks got encrypted. I already shut that Win PC down and have things under control. The Linux VM itself is clean and I want to maintain its contents and environment that I set up. Only the UNRAID shares were impacted. Luckily no folder was shared in the VM itself. Edited June 12, 2020 by frakman1 Quote
JonathanM Posted June 13, 2020 Posted June 13, 2020 Since the VM is up, can you still copy your home folder content elsewhere? Pretty much anything critical in an Ubuntu install should be in your user's home folder. I'm fuzzy on how the file got encrypted while it was held open by KVM. Are you sure it was encrypted? Quote
frakman1 Posted June 13, 2020 Author Posted June 13, 2020 Well I wanted the whole filesystem, not just my home dir. I didn't want to re-install and tweak everything from scratch. I ended up using rsync to a brand new VM with the same OS and that worked. Unfortunately, the Android VM didn't make it as it rebooted before I got to it. Yes, it absolutely did encrypt and rename the file and render it unreadable. That's why the Android VM couldn't boot. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.