The ransomware recovery workflow includes several sets of tasks based on ransomware recovery states:

Note: During ransomware recovery, VMware Cloud DR can process a maximum of 50 VMs at a time. This limit applies to starting VMs, staging VMs, recovering VMs, powering off VMs, changing network isolations, selecting new snapshots, and so on. For example, if 25 VMs are currently being started on the recovery SDDC, you can only operate on 25 more VMs until the other 25 VMs have finished starting.
Task Actions Ransomware Recovery state

Prepare for ransomware recovery

Enable Ransomware Services for ransomware recovery and optionally enable integrated vulnerability and behavior scanning.

Create a protection group. A protection group replicates snapshots on a regular schedule to a cloud file system. VMs in the group are included in a recovery plan.

Create a Recovery Plan. When you create a recovery plan for ransomware, you configure many settings, such as selecing protection groups and configuring ransomware recovery.


Start Recovery Plan for Ransomware Recovery

Run a Recovery Plan for ransomware recovery.

In backup

Start VMs on the Recovery SDDC

When you start VMs in validation, it is considered an 'iteration'. Every time you change snapshots of VMs in validation, it is a new iteration. You can iterate VMs in validation as many times as you want.

When you start VMs in validation, the following behaviors occur:
  • VMware Cloud DR uses Live Mount to instantly power-on the selected VM snapshot on the recovery SDDC.
  • A security sensor is automatically installed on Windows VMs, if the recovery plan is enabled for integrated security and vulnerability analysis, and if VMware Tools version 11.2 or later is installed on the VM.

    For Linux VMs, VMware Tools version 11.2 is also required, but you must manually install the Linux sensor. For more information, see Manual Sensor Installation.

    Any pre-existing third party or Carbon Black sensors should be uninstalled before proceeding with ransomware validation. For more information, see Uninstalling Sensors.

When you start VMs for ransomware recovery, VMware Cloud DR begins integrated security and vulnerability analysis of the VMs.
Note: Currently, malware signature scans for Linux VMs do not report progress in the UI. The scan still occurs, but the progress indicator remains "in progress" even after the scan is finished.

In validation

Iterate security analysis and remediation

View the snapshot timeline to analyze snapshot change rate and entropy rate.

You can try a different snapshot for VMs, for example, so you can find a snapshot which has the least amount of entropy and a higher rate of compression.

Badge snapshots for VMs you know are clean or infected.

Monitor security events and alerts generated by integrated behavioral analysis and malware scanning.

Inspect OS and application vulnerabilities from an integrated vulnerabillity scan.

Manually patch vulnerabilities and remove malware.

Guest file recovery. Recover individual files and directories from a VM snapshot, if you need to replace damaged files with the original one from an earlier date.

Change the network isolation levels for VMs running on the recovery SDDC.

Discard VMs in Recovery SDDC, if you validate VMs from different snapshots.

Copy the IP address of a VM and open in vCenter.

Open a VM in the security console for threat hunting and remediation.

In validation / In backup

(During analysis and remediation, VMs can be moved between in the backup and in validation states.)

Power off and stage validated VMs

When you power off and stage validated VMs, VMware Cloud DR takes a snapshot of the VMs, which are used for recovery to a protected site.

Restart validation from protected site snapshot. Restart validation iteration for VMs with the same or different snapshots.

Badge snapshots that you know are clean or infected.


Recover VMs

You can recover staged validated VMs to the protected site where it originated.

You can also recover VMs to another protected site, if you have other protected sites configured.


End Recovery

When you are finished validating and recovering VMs, you can end ransomware recovery by stopping the recovery plan.