Akira ransomware on ESXi vCenter at a regional logistics firm · 47 VMs · 94% data in 5 days
The VMware vCenter of a regional logistics firm operating in 8 provinces was encrypted by an Akira variant at 04:17. 47 VMs (ERP, warehouse management, driver tablets, file servers) were affected and the NAS replica had already been encrypted 4 hours earlier. The demand was 320K USD in bitcoin. With hybrid recovery (tape + LFE + log replay) DSET restored 94% of the data in 5 days and no ransom was paid.
01 The Challenge
At 04:17 in the morning the on-duty engineer called: "all VMs are down, .akira extension." ESXi 6.7 was unpatched and the attacker had entered via CVE-2021-21974 OpenSLP. Because of the NAS replica replication chain, the backups were encrypted too. Operations were losing 300 € per minute and OEM contract penalties were at risk. 12,400 customers were affected by cargo delays.
02 DSET's Approach
T+0 · Containment
The ESXi hosts were powered off from the power button (attacker cut off). A forensic image was taken. It was determined that 12 VMs were partially unencrypted (an LFE recovery chance).
T+8h · DSET on site
The DSET data recovery + incident response team on site. A tape backup with a clean version from 6 days earlier was ready. Transaction logs were available for SQL log replay.
T+24h · Hybrid recovery
Three channels in parallel: (a) tape restore, (b) LFE (Last File Encryption) recovery, (c) SQL transaction log replay. The ERP database was the first priority.