VMware Live Cyber Recovery can leverage VMware vSAN snapshots for faster recovery of ransomware-infected VMs.

If a protected site vCenter is using VMware vSAN with Snapshot Manager protection groups, you can use VMware vSAN snapshots when performing ransomware recovery operations in VMware Live Cyber Recovery, which can help avoid large, time consuming data transfers when recovering clean VMs to an original protected site.

How it works
  • In VMware Live Cyber Recovery, you create a protection group configured to take high-frequency snapshots of VMs. You include this protection group in a ransomware recovery plan. (Standard frequency snapshots are not compatible with fast restore with vSAN snapshots.)
  • On the protected site deploy vSAN Snapshot Manager and create local protection groups in each vSAN-ESA cluster, with minimal retention schedule that matches the schedule set in VMware Live Cyber Recovery.
  • When you are ready to recover VMs during ransomware recovery, VMware Live Cyber Recovery orchestration automatically detects the presence of local vSAN snapshots and will restore the local snapshot closest to the snapshot selected in the ransomware recovery workflow to avoid the bulk of data transfer during recovery.

You use fast restore when recovering one or multiple VMs during a ransomware recovery operation to the original protected site. For more information see Recover VMs Directly on Original Protected Site.

Requirements

Requirements for using fast restore for ransomware recovery:
  • The VM must reside on a vSAN Express Storage Architecture (ESA) datastores with Snapshot Manager deployed and with replication schedules configured.
  • vSphere on the protected site must be on version 8.0u3 or higher.
  • The VMs are part of a VMware Live Cyber Recovery protection group taking high-frequency snapshots and included in a ransomware recovery plan.
  • The vSAN protection groups should have snapshot schedules configured with a retention policy that aligns with the schedule configured in VMware Live Cyber Recovery.
  • Fast restore is only available when using the ransomware recovery workflow and recovering to an on-premises protected site. Fast restore is not supported for protected SDDCs.

Protected Site Compatibility

You can determine if a protected site is compatible or not with vSAN snapshots by viewing the vCenter information tile on the protected site page:

The vCenters panel on the protected site page shows if the site is compatible with fast restore with vSAN snapshots.

Click the information icon Information icon you can click to get more information about fast restore vSAN snapshot compatibility. to view more details about your vCenter compatibility with vSAN snapshots.
Note: If your vCenter is compatible with fast restore with vSAN local snapshots, and at a later time you add a host to vSphere that is not compatible, it can take up to one hour for this non-support for fast restore to reflect in the VMware Live Cyber Recovery UI.

Dialog showing protected site vCenter is compatible with fast restore with vSAN snapshots.

Fast Restore During Ransomware Recovery

When you begin ransomware recovery for a VM, the VM Info panel shows if the VM is compatible for Fast Restore.

During ransomware recovery validation phase, you can see if the VM iscompatibile with Fast Restore.

When you are preparing to recover a VM during ransomware recovery, the Recover dialog box indicates any VMs that have local vSAN snapshots and will be recovered using Fast Restore.

The Recovery VM dialog box indicates if any VMs have local vSAN snapshots and can use Fast Restore during recovery.

Ending Ransomware Recovery

The End ransomware recovery dialog box indicates the amount of data transfered during recovery and how many VMs used Fast Restore.

The End ransomware recovery dialog box indicates how much data was transferred during recovery and how many VMs used Fast Restore.

Post-Recovery Information

After you restore a VM using fast restore and end ransomware recovery, the plan details page indicates if vSAN fast restore was used and how much data was transferred out of the total VM size.

Recovery plan showing data transfered using vSAN fast restore.