With ransomware evolving and the attack surface changing, they are now attacking ESXi and the datastores.

The attackers have written Perl scripts to encrypt the datastores and install the ESXi. This will lead to encrypted VM's and ESXi install, rendering everything failing to boot.

1) Check the current status of the current TPM, Secure boot and Executables Only From Installed:

			
				esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true			
		

2) First enable TPM (Skip if the above shows mode TPM):

			
				esxcli system settings encryption set --mode=TPM
/sbin/auto-backup.sh			
		

3) Enable secure boot:

			
				esxcli system settings encryption set --require-secure-boot=T			
		

4) Enable execInstalledOnly:

			
				esxcli system settings kernel set -s execInstalledOnly -v TRUE			
		

REBOOT

5) Set the execInstalledOnly enforcement:

			
				esxcli system settings encryption set -–require-exec-installed-only=T