To use ransomware recovery with integrated security and vulnerability analysis, you first must enable the services.

Enable integrated security and vulnerability analysis in your recovery plans to recover from a ransomware attack (or to test one). When you run a recovery plan for ransomware recovery, integrated vulnerability and behavioral analysis and malware signature scanning begins.

When you activate integrated security and vulnerability analysis, you can choose which country you want to have data analyzed in. Also when you activate integrated security and vulnerability analysis, VMware Live Cyber Recovery deploys a Carbon Black Cloud Workload VM on the recovery SDDC, which manages communication between VMware Live Cyber Recovery and Carbon Black Cloud servers.
Note: Before you can enable ransomware recovery services, you must authorize VMware Live Cyber Recovery to connect to VMware Cloud Services. For more information, see Authorize Access for VMware Live Cyber Recovery.

Allowing Activation of NSX Advanced Firewall

VMware NSX Advanced Firewall for VMware Cloud on AWS is required to enable advanced network isolation levels, including the useful 'quarantine isolation' with Carbon Black Cloud access.

NSX Advanced Firewall activates a full range of network isolation levels when performing validation on the recovery SDDC. You can authorize VMware Live Cyber Recovery to automatically activate the advanced firewall only during ransomware recovery or testing.

If your SDDC does not have NSX Advanced Firewall activated, VMware Live Cyber Recovery will activate it each time you run a recovery plan for ransomware. When the last concurrent plan is deactivated, NSX Advanced Firewall is also deactivated.
Note: If you notice the VMware Live Cyber Recovery UI stating that there is a charge for NSX Advanced Firewall, you can ignore the message. There is no charge for VMware Live Cyber Recovery ransomware recovery users to use NSX Advanced Firewall.

When you activate NSX Advanced Firewall and run a ransomware recovery plan, VMs in validation are started in the Quarantined+Analysis network isolation level.

If you activate integrated analysis but do not ac tivate NSX Advanced Firewall, and then run a recovery plan, VMs start on the recovery SDDC with full outbound connectivity. To create your own custom network isolation level, see Create a Custom Network Isolation Level.
Note: Applying or changing a network isolation level for VMs overwrites any firewall configurations that were previously set for those VMs.

For more information, see NSX Advanced Firewall for VMware Cloud on AWS.

Activating ransomware recovery services requires the following user roles: Organization Owner, Global Console Admin, and Orchestrator Admin.

Procedure

  1. From the left navigation, select Settings.
  2. Under Integration, click the Ransomware Recovery Services button.
  3. In the Ransomware services integration dialog box, click the Activate Integrated Analysis button.
  4. Select the country where analysis data will be analyzed. (This operation might take 30 seconds to one minute to complete.)
  5. Read and then confirm each of the items described in the dialog box, and then click Activate.
    If you have a recovery SDDC deployed, then a security workload VM is installed in the SDDC when you activate security and vulnerability scanning. If you have not yet deployed a recovery SDDC, then the workload VM is installed when you deploy the SDDC.
    When you activate ransomware recovery services, a Carbon Black security policy is created named VMware Live Cyber Recovery.
    After activating security and vulnerability scanning, when you run a recovery plan for ransomware and start a VM in validation, security sensors are installed on Windows VMs.
    For automatic sensor installation, VMware Tools version 11.2 or later must be installed on the VM, and must include Carbon Black Cloud launcher. For Linux VMs, you must install the Carbon Black Launcher manually before sensor installation. To uninstall any pre-existing sensors, see Uninstalling Sensors.
    Integrated analysis might not be compatible with preinstalled security software on VMs. You can configure the recovery plan to pause before VMs start in validation, so you can uninstall the security software when you run the recovery plan and start VMs in validation.
  6. After you activate scanning, you can click Allow Activation of Advanced Firewall.
    Note: You can access the Carbon Black Cloud by clicking the Open Console button.
  7. Confirm that you acknowledge the statements in the dialog box, and then click Activate.
    When ransomware recovery services are enabled, the dialog box looks like this:
    Ransomware services activated.

What to do next

Once you have activated ransomware recovery services, you can create a protection group and a recovery plan. Then you can recover VMs if you experience a ransomware attack. If you want to change the country selected for data analysis, see Change Country for Ransomware Data Analysis.