The shared drive is unique to each customer, in addition to being unique to a region.
Ransomware-encrypted files on your shared drive are a result of one or more of your VMs being infected in that region. Access of shared drive content is customer managed and Skytap has no control over content stored within regional shared drive.
How does a guest OS become infected?
There are many ways malicious entities infiltrate operating systems. Some examples may include:
- A public IP added to a VM can provide exposure for malicious entities to probe for vulnerabilities/flaws in operating systems such as Windows or software that has been installed in Windows or other operating systems
- A user that has access to the account could have unknowingly installed a software package that had been compromised
- Using a browser within the guest OS of a VM and visiting sites that have been compromised can infect the guest OS
Potential next steps
Skytap recommends you follow your companies security processes on what next actions should be taken when dealing with a potential security incident. If a VM is infected, any copies of that VM in either configurations or templates may also have the infection. If the VM was created from a template in your account, it's possible the source template may also be infected. Skytap recommends checking all regional shared drives to confirm risk of exposure.
Administrators in your Skytap account have the ability to disable the shared drive from the Admin Settings page, which will delete all data from your shared drive. This action does not resolve the source of the infection, you will still need to track down the infected VMs. Please note, deleted data is not recoverable.
Once you've remediated the ransomware infection, Skytap recommends reviewing our suggestions for protecting VMs exposed to the Internet and using anti-virus and/or anti-malware software within your VMs to help prevent any future compromises.