With VMware Ransomware Recovery, a recovery SDDC is transformed into an on-demand, cloud-based (IRE) with predefined network isolation levels.

The recovery SDDC provides a network-restricted IRE that does not require building an environment from scratch and patching together different tools and hardware. You can use predefined network isolation levels, or you can create a custom network isolation to match your security needs.

After a ransomware attack, you can launch a recovery plan and select VMs from a deep snapshot history to be placed into an IRE for forensic analysis and validation. When you start VMs in validation on the IRE, VMware Ransomware Recovery provides integrated security and vulnerability analysis that analyzes each VM in recovery for suspicious OS behaviors, malware file signatures, and known vulnerabilities.

When you have succeeded in finding clean VMs, you can orchestrate those VMs back to a protected production site.

For more detailed information about setting up the IRE, see Configuring the Ransomware Recovery Isolated Recovery Environment (IRE)

Avoid Private Connections Between Production Environments and the IRE

In order to ensure the security and integrity of the IRE, when validating VMs on the IRE, do not establish any form of private network connectivity between your production environment and the IRE.

Specifically, do not:
  • Use Direct Connect to connect on-prem infrastructure to the IRE.
  • Use a VPN to connect on-prem or cloud infrastructure to the IRE.
  • Stretch L2 networks from on-prem to the IRE.
  • Add the IRE SDDC to an SDDC group that enables private connectivity to other SDDCs and native VPCs.