During validation, you might want to try different snapshots of VMs to find one that can be a candidate for recovery.
From the VM validation page, you can easily try different snapshots during ransomware recovery. When you select a new snapshot, the current iteration of VMs on the recovery SDDC is discarded and a new iteration starts based on the snapshot you select.
Procedure
- In the VM validation page, Summary tab, from the End validation iteration panel click the Try Different Snapshot button.
- In the Try different snapshot dialog box, select a new snapshot, either from the timeline or from the Snapshot drop-down menu.
Tip: It is a good idea to badge the current snapshot, for future reference
- Click the Try Different Snapshot button.
When selecting a VM snapshot, consider two factors on the snapshot timeline: change rate and entropy rate. These two factors show any behavioral and structural changes to the VM over time across snapshots, which can indicate possible infection:
- Change rate. The amount of bytes changed / (time difference between the current snapshot and the previous snapshot). A high value indicates that too many changes happened during this time. During a ransomware attack, many files are encrypted, so this value is higher. So, if you have a snapshot with a high entropy and high change rate, it might indicate a ransomware attack.
For example, if the change rate for a VM in a snapshot is typically approximately 100 KB/s, then suddenly changes to 500 KB/s, the snapshot could then be considered suspicious.
Note: For the first snapshot of a VM after a product upgrade, change rate is not reported.
- Entropy rate. 1/compression ratio. Entropy rate is a number between 0 and 1, and the closer it is to 1, the higher the likelihood that the snapshot is encrypted. Sudden jumps in entropy can indicate possible encryption.
For example, if the entropy rate (1/compression ratio) for a VM is .5 or .6, and then it jumps to almost 1, then the snapshot is suspicious.
VMware Live Cyber Recovery uses the inverse of the data compression ratio to approximate an entropy rate. The entropy rate of the data is 1 when the data is incompressible: such incompressible data usually means the data is either encrypted or already compressed. The entropy rate of data is smaller because the data is more compressible.
