Ransomware recovery has similarities with disaster recovery, but there are key differences that require unique automation workflows to guarantee the security of production workloads, shorten recovery times, and reduce data loss.

For instance, during ransomware recovery you cannot be certain that snapshots are not infected without validating those snapshots. Unlike disaster recovery, the most recent snapshots are likely compromised in a ransomware attack. Ransomware recovery must be always performed under the assumption that malware is embedded in the snapshot data.

Snapshots must be either validated to be free of infection, or malware must be removed during the ransomware recovery process to avoid reintroducing ransomware into a production environment. Because snapshots are potentially infected, they cannot be directly recovered to the production environment. Instead, snapshots must be initially restored into the Isolated Recovery Environment (IRE) for a security analysis.

The VMware Cloud Disaster Recovery Recovery SDDC is augmented with preconfigured network isolation levels that enables an IRE during ransomware recovery. Ransomware recovery often involves multiple recovery iterations to identify a malware-free backup or to "clean" from a chosen snapshot (malware removed). To avoid reinfection, you restore snapshots to the production environment only following validation in the recovery workflow.

You can use a recovery plan for both disaster and ransomware recovery, but enabling ransomware recovery requires explicit plan configuration.

The following table provides a comparison of the main differences between ransomware recovery and disaster recovery:
Disaster Recovery Ransomware Recovery

Objective

Recovery of business operations with minimal downtime and data loss.

Recovery of compromised data with minimal loss, while providing data integrity and security assurance.

Recovery site

The Recovery SDDC in VMware Cloud on AWS. Workloads can be made externally available immediately upon recovery.

A protected site. VMs are validated and 'cleaned' in the IRE in the Recovery SDDC prior to restoring them to the protected site to avoid reinfection of production workloads. Workloads are made externally available only following security validation.

Snapshot retention

Limited snapshot retention time to accommodate the disaster recovery use case, with the latest snapshot being the primary recovery candidate.

Longer snapshot retention. Ransomware 'dwell time' (duration between infection and manifestation) can range from weeks to months. VMware recommends at least 3 months retention for ransomware recovery.

Recovery Point Objective (RPO)

Disaster recovery RPO is configured through snapshot schedules based on business needs. Recent snapshots are likely encrypted and/or infected and might not be suitable for recover, which can result in higher RPO. Early detection improves RPO.

Recovery Time Objective (RTO)

Instant power-on in the Recovery SDDC.

Higher RTO due to security validation in the IRE prior to recovery to the protected site.

Orchestration

Full automation with recovery plans that allow for unattended recovery. A recovery plan recovers all protected VMs to a recovery site.

Iterative recovery requires control over recovery workflow state transitions. Partial recovery of subsets of protected VMs is possible.

Tools

VMware Cloud Disaster Recovery Orchestrator.

In the addition to using the VMware Cloud Disaster Recovery Orchestrator, requires backup validation and remediation with integrated or third party security tools. Preconfigured network isolation levels available for use during validation.