When validating a VM in ransomware recovery, you can analyze and select from the snapshot history of the VM, considering the change rate and entropy rate for all snapshots.

The snapshot timeline appears when you first start a VM in validation and select a snapshot, from the Timeline tab in validation, and when you try a different snapshot during validation.

Snapshot timeline

Change Rate and Entropy Rate

As you start recovering a VM from a ransomware attack, become familiar with change rate and entropy rate:

When VMware Cloud DR detects an unusually high change rate and entropy rate, it can indicate unusual activity, such as ransomware attack encrypting the data. The snapshot before the onset of such activity might be a snapshot containing unencrypted data.

For example, a common type of ransomware attack involves encrypting the user files and removing other files from the guest VM. During a malicious encryption operation, the incremental snapshot includes the encrypted data in addition to regular modified VM data.

Because the VMware Cloud DR snapshot is always incremental, only the modified or new data transfers to the cloud backup. When compared with normal snapshot where no ransomware attack is occurring, a problem snapshot has more data transferred, and out of all transferred data, it has a higher percentage of data being encrypted, thus showing a high entropy rate.

The presence of more data on a snapshot is suspicious and shows a higher change rate than normal compared to other snapshots (for example, compared to other snapshot with same time of day, or same time of the week), or compared to other similar VMs that are not under attack.

Expired Snapshots on the Timeline

On the snapshot timeline, you might see changes in entropy rate and change rate, even where no snapshots show.

When you see entropy rate and change rate metrics where no snapshots exist, you are looking at data from expired snapshots. VMware Cloud DR retains metrics associated with expired snapshots to provide fine-grained data points that can help you discover anomalies on the snapshot history.

For example, you have snapshots A and B, yet on the snapshot timeline you see entropy rate and change rate data between the two snapshots. In this scenario, it indicates that there were snapshots between snapshots A and B that have expired.

Missing snapshots in the timeline that show entropy rate and change rate metrics

If you see variations in entropy rate and change rate in the time interval between the two snapshots, it might indicate suspicious or malicious behavior during that time, so you can decide if you want to select a snapshot prior to A, or a later snapshot after B.