0

We have been hit by ransomware and some of our Hyper-V image has been encrypted (primary & replica server). The one that didn't get hit, the client OS (Windows Server) was still running but almost all the files inside it got encrypted too.

We had setup replication before this attack took place. And I see some HRL file laying around in the same folder as the VM disk image. As I understand this file contains replica log that Hyper-V use to update replica server.

Since this HRL file contains tracking changes, can we undo those changes from this HRL file? If so, how can we do it?

I haven't been able to find a way to undo from HRL file. Most google search only show how to delete this files.

The host was using Windows Server 2012 R2 both primary and replica server.

So our situation are as followed:

  1. VM that been running didn't get encrypted. But the files inside it were encrypted.
  2. That VM has replication to replica server. But the VM in replica server got encrypted too.
Ariwibawa
  • 101
  • 2
  • `1.` I don't believe it's possible to recover the VM from the HRL file. `2.` Open a support case with Microsoft to see what assistance they can provide. `3.` Restore your virtual machines from the latest known good backups prior to this event. – joeqwerty Mar 21 '22 at 12:01

0 Answers0