To use ransomware recovery with integrated security and vulnerability analysis, you first must enable the services.

Enable integrated security and vulnerability analysis in your recovery plans to recover from a ransomware attack (or to test one). When you run a recovery plan for ransomware recovery, integrated vulnerability and behavioral analysis and malware signature scanning begins.

Performing this task requires that your user has the Organization owner role. If you are an MSP partner using the CPN (Cloud Provider Network) console, you must activate Ransomware Recovery Services in each tenant organization by a user with Provider Admin permissions.

Allowing Activation of NSX-T Advanced Firewall

VMware NSX-T Advanced Firewall is required to enable network isolation levels. NSX-T Advanced Firewall is an on-demand, chargeable feature that activates a full range of network isolation levels when performing validation on the recovery SDDC.

You can authorize VMware Cloud DR to automatically activate the advanced firewall only for the duration of ransomware recovery or testing, and you can pay for the service on-demand, or you can subscribe to NSX-T Advanced Firewall or explicitly enable it in the VMC Console. When you enable NSX-T Advanced and run a ransomware recovery plan, VMs in validation are started in the Quarantined+Analysis network isolation level.

If you activate integrated analysis but do not enable NSX-T Advanced Firewall, and then run a recovery plan, the VM starts on the recovery SDDC with full outbound connectivity. To create your own custom network isolation level, see Create a Custom Network Isolation Level.
Note: Applying or changing a network isolation level for a VM overwrites any firewall configurations that were previously set for the VM.

For more information, see NSX Advanced Firewall for VMware Cloud on AWS.

Activating ransomware recovery services requires the following user roles: Organization Owner, Global Console Admin, and Orchestrator Admin.


  1. From the left navigation, select Settings.
  2. Under Integration, click the Ransomware Recovery Services button.
  3. In the Ransomware services integration dialog box, click the Activate Integrated Analysis button.
  4. Read and then confirm each of the risks described in the dialog box, and then click Activate.
    If you have a recovery SDDC deployed, then a security workload VM is installed in the SDDC when you activate security and vulnerability scanning. If you have not yet deployed a recovery SDDC, then the workload VM is installed when you deploy the SDDC.
    After activating security and vulnerability scanning, when you run a recovery plan for ransomware and start a VM in validation, security sensors are installed on Windows VMs. For Linux VMs, you must manually install the security sensor. For more information, see Manual Sensor Installation.
    Integrated analysis might not be compatible with preinstalled security software on VMs. You can configure the recovery plan to pause before the VM starts in validation, so you can uninstall the security software when you run the recovery plan and start the VM in validation, by adding a pause to the plan when you run it.
  5. After scanning is activated, you can click Allow Activation of Advanced Firewall. If you already have a subscription to the advanced firewall active in your SDDC, the option is already enabled. If you do not have a subscription to NSX-T Advanced Firewall, you can buy one here: NSX Advanced Firewall for VMware Cloud on AWS.
  6. Confirm that you acknowledge the statements in the dialog box, and then click Activate.

What to do next

Once you have activated ransomware recovery services, you can create a protection group and a recovery plan. Then you can recover VMs if you experience a ransomware attack.