VMware vSphere

Hi guys, this week we were attacked by Lockbit 3.0 ransomware on a vSAN datastore. A total of 51 out of 240 VM directories were encrypted including vCenter. the ransomware encrypted files in each VM directory such as "vmx", "vmsn", "nvram", some ".vmdk" files.

for example, our server DNS is infected. 

is it possible to recover the infected VMs using the remaining .vmdk files? Your information is very helpful to us

Thank you.

Unfortunately  no, because you only have your snapshot file which contains the changes of the last 2 days. You havent display the complete filesizes but running only for 2 days and with a normal data change ratio your snap only contains a few percentage of your data.
It will be different if you have a snapshot running for 2 years or so and in this time the system refreshed 99% all blocks or so. Than you can have some luck together with a file system repair that you can convert a snap into a basedisk.

Regards,
Joerg

What if only 1 vmdk and vmx are encrypted. is it possible to recreate a new vm? if it's possible, please tell me how. thank you very much.

Based on your Screenshot the Basedisk *.vmdk isnt encrypted so you can easily deploy a new fresh VM from scratch (without a vDISK) and than you choose "add existing vDisk" to the VM and it will boot.  Please detach the vDisk from the non work VM because if you delete this VM later you will also delete your working vmdk which is now attached to the new VM.

If youre back i business please move the vDisk into the same folder as your new VM. This can be down by a svMotion for example. Please avoid spreading vDisk over multible folder/luns which inconsistent folder names.

Regards,
Joerg

you could always copy the VMDK to a workstation and try to recreate a VM using the VMDK with VMware Workstation or Fusion. But chances are probably 99.99% you will need to recover from a backup.