VMware Ransomware Recovery provides an isolated recovery environment (IRE) on a VMware Cloud recovery SDDC that allows you to inspect, analyze, and recover infected VMs before restoring them to a production environment.

Figure 1. Ransomware Recovery Workflow
You start ransomware recovery and select VM to recover. You select the snapshot and power on the VM in the recovery SDDC. If the snapshot is compromised, you badge it accordingly and try a different snapshot until you find a clean snapshot. When the snapshot is not compromised, you increase network isolation level and monitor behavior. If there are any vulnerabilities, you manually patch them and remove malware. If necessary, you can pull newer data from a later snapshot. Finally, you power off, stage, and recover VM to the protected site. You can end the ransomware recovery.
Ransomware Recovery Task Description
Start ransomware recovery plan and start VMs in recovery SDDC.

  • When you start VMs in recovery SDDC, VMs are powered on into an isolated recovery environment (IRE) on a VMware Cloud recovery SDDC.

  • When you run a plan for ransomware recovery, all VMs included in the plan can be analyzed and validated in a network-isolated recovery SDDC with restricted firewall rules, disconnected from the internet. You can select VMs from the list included in the plan, choose a snapshot from a protection group, and start validating VMs.

  • During validation, select a VM snapshot based on two factors on the snapshot timeline - change rate and entropy rate. Then, you start VMs in the recovery SDDC.

  • Snapshots must be either validated as free of infection, or malware must be removed to avoid reintroducing ransomware into a production environment. When validating VMs, you select historical snapshots of each VM so you can analyze the change rate and entropy rate across all snapshots.

  • For more information about selecting a VM snapshot, see View the Snapshot Timeline.
Perform security analysis and remediation
When you start VMs in validation, the following behavior occurs:

  • VMware Live Cyber Recovery uses Live Mount to instantly power on the selected VM snapshot on the recovery SDDC.

  • If the recovery plan is has integrated security and vulnerability analysis activated, and if VMware Tools version 11.2 or later is installed on the VM, a security sensor is automatically installed on Windows VMs.

  • For Linux VMs, VMware Tools version 11.2 is also required, but you must manually install the Linux sensor.

    For more information, see Manual Sensor Installation.

  • When you start VMs in validation, they are put into a Quarantined+Analysis network. Those VMs can only connect over the internet to integrated security and vulnerability servers on Carbon Black Cloud and to basic network services like DNS and NTP.

    For more information, see Network Isolation Levels.

  • As you analyze VMs from snapshots, badge the snapshots to distinguish between good and bad ones.

    For more information, see Badge Snapshots.
Power off, stage and recover VMs

When powering off and staging VMs, VMware Live Cyber Recovery takes a snapshot of the VMs to prepare them for recovery to a protected site. The staging snapshot reflects the current state of the VMs in validation.
End ransomware recovery

Ending the recovery plan deletes all staging snapshots, removes running VM instances in the recovery SDDC, and resumes snapshot retention schedules for VMs in the plan. After you end a recovery plan, it reverts to a ready state.

For more information on ransomware recovery workflow, see Ransomware Recovery.

Start Ransomware Recovery for Critical Workloads with Cloud-Based Ransomware Recovery for VMware Cloud Foundation

To begin the ransomware recovery, select the VMs from the VMs list included in your recovery plan.

Procedure

  1. Log in to the VMware Cloud Services console at https://console.cloud.vmware.com/ with a user assigned the VMware Live Cyber Recovery Protection Admin role.
  2. On the Services page, locate the VMware Live Recovery tile, and click Launch service.
  3. On the VMware Live Recovery page, for the region where the service is enabled, click Manage region.

  4. On the VMware Live Cyber Recovery page, in the left pane, click Recovery plans.

  5. On the Recovery plans page, click the Recovery plan you want to run.

  6. On the Recovery plan page, click Ransomware Recovery.

  7. In the Ransomware recovery dialog box, click Start ransomware recovery and wait for the completion of the process.

  8. On the Recovery plan page, in the VM list pane, click the VM name.

  9. On the VM page, in the Start workflow pane, click Start VM in recovery SDDC.

  10. In the Validate VM in recovery SDDC dialog box, in the Snapshots section, select the snapshot and click Start VM in recovery SDDC.

Perform Security Analysis and Remediation for Cloud-Based Ransomware Recovery for VMware Cloud Foundation

When you start VMs for ransomware recovery, VMware Live Cyber Recovery begins integrated security and vulnerability analysis of the VMs.

Prerequisites

  • Verify VMs have VMware Tools version 11.2 or later installed.

  • Verify VMs can reach Carbon Black Cloud servers to send security analysis data during ransomware recovery.

  • Verify you uninstall any pre-existing third party security software or Carbon Black sensors before proceeding with ransomware validation. See Uninstalling Sensors.

Procedure

  1. On the Recovery plan page, in the Security and vulnerability analysis section, monitor security events and alerts generated by integrated behavioral analysis and malware scanning.

    Note:

    You can view the discovered security events and alerts from Analysis > Vulnerabilities and Analysis > Alerts tab of the VM under validation.

  2. (Optional) If any security events are found, manually patch them, remove malware, and from the Security tools drop-down menu, click Run vulnerability analysis.

  3. In the Toolkit section, click Change isolation.

  4. In the Change VM network isolation dialog box, configure the network isolation levels for VMs running on the recovery SDDC according to your requirements, click Change isolation, and monitor the analysis status for the different network isolation rule.

  5. If the VM snapshot is clean and safe, in the Protected site base snapshot section, click Set badge.

  6. In the Badge snapshot dialog box, select Verified and click Set badge.

  7. (Optional) If the VM is infected:

    1. Set the badge accordingly and, in the End validating iteration section, click Try different snapshot.

    2. Run the analysis again with a different snapshot until you have a clean and safe snapshot.

    3. In the Protected site base snapshot section, click Set badge.

    4. In the Badge snapshot dialog box, select Verified and click Set badge.

Stage and Recover VMs for Cloud-Based Ransomware Recovery for VMware Cloud Foundation

When you find good VM candidates to recover to a protected site, you are ready to power off and stage the VMs for recovery.

Procedure

  1. After you find good VM candidates, on the Recovery plan page, in the End validating iteration section, click Power off and stage.

  2. In the Power off and stage dialog box, select Take a new staging snapshot, click Power off and stage and wait for the completion of the process.

  3. In the End staging section, click Recover VMs.

  4. In the Recover in protected site dialog box, under Recovery location, select Original protected site, select the confirmation check box and click Recover.

  5. After the recovery operation finishes, verify that the VMs workflow state is Recovered.

End Ransomware Recovery for Cloud-Based Ransomware Recovery for VMware Cloud Foundation

After you finish recovering VMs, you can end ransomware recovery by stopping the plan.

Procedure

  1. On the VMware Live Cyber Recovery page, in the left pane, click Recovery plans.

  2. On the Recovery plans page, click the Recovery plan you want to end.

  3. On the Summary page, click End recovery.

  4. In the End ransomware recovery dialog box, click End ransomware recovery.

  5. Refresh your browser.