If you enable ransomware services in a recovery plan, you can run it to recover from a ransomware attack, or run it as a ransomware recovery test.
When you run a plan for ransomware recovery, you enable all VMs included in the plan to be analyzed and validated in a network-isolated recovery SDDC with restricted firewall rules, disconnected from the internet. You can select VMs from the list included in the plan, choose a snapshot from a protection group, and start validating VMs.
When you start VMs on the recovery SDDC, a security sensor is automatically installed to enable security and vulnerability analysis. The sensor helps you detect malware, repair bad files, and patch software for the VM from the snapshot history.
For automatic sensor installation, VMware Tools version 11.2 or later must be installed on the VM, and must include the Carbon Black Cloud launcher.
Windows VMs already have the Carbon Black Cloud launcher embedded into the VMware Tools executable.
For Linux VMs, the launcher is not included so you must manually install the Carbon Black Launcher for Linux VMs if you want automated sensor installation.
Once the launcher is installed on a VM, the sensor can be installed automatically when you run a ransomware recovery plan.
Uninstalling Existing Sensors
Before the security sensor can be installed when you run a plan, you must uninstall any existing security sensors or software. You also must confirm that you have uninstalled existing security sensors before you can begin ransomware analysis. If any non-VMware Live Cyber Recovery security software is left on VMs, it can potentially generate alarms and events for the production environment. For more information, see Uninstalling Sensors.
Connectivity to Carbon Black Cloud URLs
The network segment the VM is connected to must have internet access, so the VM can reach the security services location within a specific Carbon Black Cloud points of presence (PoP). Make sure that your network and in-guest firewalls do not block access to any Carbon Black Cloud POP URLs.
Ransomware Recovery Test
A ransomware test is the same as ransomware recovery, but a ransomware test has no option to restore VMs on a protected site. Ransomware recovery testing does not require powering off production VMs and pausing of snapshots.
Snapshot Expiration Paused While Running the Plan
When you start a ransomware recovery plan, VMware Live Cyber Recovery pauses all snapshot expiration for snapshots taken prior to starting the plan. Existing snapshots are deleted upon expiration, regardless of protection group retention policy, until the plan is ended. Any subsequent snapshots taken since the starting of the plan will expire and be deleted according to the configured retention policy.
When the plan is ended, snapshots expiration will resume according to the defined protection group retention policy.
Prerequisites
- Enable ransomware recovery services with integrated security and vulnerability analysis.
- Create protection groups with recurring snapshot replication schedules for VMs you want to recover.
- Create a recovery plan and configure it for ransomware.
Note: If a recovery plan is activated for ransomware recovery, the plan uses the Test network mapping by default when you run the plan.
If you need to use the recovery SDDC to perform ransomware recovery and also run production workloads at the same time, you can create a VMware Cloud gateway to use for running VMs that have been cleansed during ransomware recovery. This way, you can use one gateway for ransomware recovery (the default gateway), and use a second gateway to use for running recovered production VMs.
Procedure
- On the recovery plan page, click the Ransomware Recovery button. Or, click the Ransomware Test button if you only want to perform a test.
