To use ransomware recovery with integrated security and vulnerability analysis, you first must enable the services.

Enable integrated security and vulnerability analysis in your recovery plans to recover from a ransomware attack (or to test one). When you run a recovery plan for ransomware recovery, integrated vulnerability and behavioral analysis and malware signature scanning begins.

When you activate integrated security and vulnerability analysis, you can choose which country you want to have data analyzed in. Also when you activate integrated security and vulnerability analysis, VMware Cloud DR deploys a Carbon Black Cloud Workload VM on the recovery SDDC, which manages communication between VMware Cloud DR and Carbon Black Cloud servers.

Allowing Activation of NSX Advanced Firewall

VMware NSX Advanced Firewall for VMware Cloud on AWS is required to enable advanced network isolation levels, including the useful 'quarantine isolation' with Carbon Black Cloud access.

NSX Advanced Firewall is an on-demand feature that activates a full range of network isolation levels when performing validation on the recovery SDDC. You can authorize VMware Cloud DR to automatically activate the advanced firewall only during ransomware recovery or testing.

VMware Cloud DR leverages the already deployed NSX Advanced Firewall and does not activate or deactivate any NSX Advanced Firewall services, and there are no additional on-demand NSX charges incurred.

If your SDDC does not have NSX Advanced Firewall enabled, VMware Cloud DR will enable it each time you run a recovery plan for ransomware. When the last concurrent plan is disabled, NSX Advanced Firewall is also deactivated.
Note: If you notice the VMware Cloud DR UI stating that there is a charge for NSX Advanced Firewall, you can ignore the message. There is no charge for VMware Cloud DR ransomware recovery users to use NSX Advanced Firewall.

When you enable NSX Advanced Firewall and run a ransomware recovery plan, VMs in validation are started in the Quarantined+Analysis network isolation level.

If you activate integrated analysis but do not enable NSX Advanced Firewall, and then run a recovery plan, VMs start on the recovery SDDC with full outbound connectivity. To create your own custom network isolation level, see Create a Custom Network Isolation Level.
Note: Applying or changing a network isolation level for VMs overwrites any firewall configurations that were previously set for those VMs.

For more information, see NSX Advanced Firewall for VMware Cloud on AWS.

Activating ransomware recovery services requires the following user roles: Organization Owner, Global Console Admin, and Orchestrator Admin.


  1. From the left navigation, select Settings.
  2. Under Integration, click the Ransomware Recovery Services button.
  3. In the Ransomware services integration dialog box, click the Activate Integrated Analysis button.
  4. Select the country where analysis data will be analyzed. (This operation might take 30 seconds to one minute to complete.)
  5. Read and then confirm each of the items described in the dialog box, and then click Activate.
    If you have a recovery SDDC deployed, then a security workload VM is installed in the SDDC when you activate security and vulnerability scanning. If you have not yet deployed a recovery SDDC, then the workload VM is installed when you deploy the SDDC.
    After activating security and vulnerability scanning, when you run a recovery plan for ransomware and start a VM in validation, security sensors are installed on Windows VMs.
    For automatic sensor installation, VMware Tools version 11.2 or later must be installed on the VM, and must include Carbon Black Cloud launcher. For Linux VMs, you must install the Carbon Black Launcher manually before sensor installation. To uninstall any pre-existing sensors, see Uninstalling Sensors.
    Integrated analysis might not be compatible with preinstalled security software on VMs. You can configure the recovery plan to pause before VMs start in validation, so you can uninstall the security software when you run the recovery plan and start VMs in validation.
  6. After you activate scanning, you can click Allow Activation of Advanced Firewall.
    Note: You can access the Carbon Black Cloud by clicking the Open Console button.
  7. Confirm that you acknowledge the statements in the dialog box, and then click Activate.
    When ransomware recovery services are enabled, the dialog box looks like this:
    Ransomware services activated.

What to do next

Once you have activated ransomware recovery services, you can create a protection group and a recovery plan. Then you can recover VMs if you experience a ransomware attack. If you want to change the country selected for data analysis, see Change Country for Ransomware Data Analysis.