Kind of a weird question, is it possible to use the “freezing” option in vmtools to “freeze” an OS that is being ransomware’d to prevent more damage?
I know its not a solution, but it would be a good temporary stop until the machines can be unplugged from ethernet.
The company I work for recently got hit by Akira ransomware and we got pretty lucky with data, but all of our windows machines had to be reimaged and windows servers had to be reinstalled.
So that is why I’m wondering.
Mmm. Depending on how you are set up you can use docker to do this. I’ll attach 2 links one to configure VMware tools for docker and second is about docker container pause. Also if you are not running an AI assisted security switch application you should look into that.
poweroff is the only correct answer here.
Nothing else will stop the bleeding as memory will be pulled down and saved using any of the gentler options, further you will not have ready access to the vmdk as a flag is set that prevents access from within ESXI.
You then need to boot another OS and mount the VMDK to exfill all data. This can be done within ESXI on another VM.
Obviously having full backups for 30 days may not be feasible for most enterprises, but at least weekly full images give you a chance.
The malware will still be there going back at least 4 weeks, but you can remove it before the activation was invoked if you spoof the NTP sources domain wide.