The ransomware recovery workflow includes several sets of tasks based on ransomware recovery states:
| Task | Actions | Ransomware Recovery state |
|---|---|---|
| Prepare for ransomware recovery |
Enable Ransomware Services for ransomware recovery and optionally enable integrated vulnerability and behavior scanning. Create a protection group. A protection group replicates snapshots on a regular schedule to a cloud file system. VMs in the group are included in a recovery plan. Create a Recovery Plan. When you create a recovery plan for ransomware, you configure many settings, such as selecting protection groups and configuring ransomware recovery. |
N/A |
| Start Recovery Plan for Ransomware Recovery |
Run a Recovery Plan for ransomware recovery. |
In backup |
| Start VMs on the Recovery SDDC |
When you start VMs in validation, it is considered an 'iteration'. Every time you change snapshots of VMs in validation, it is a new iteration. You can iterate VMs in validation as many times as you want.
When you start VMs in validation, the following behaviors occur:
When you start VMs for ransomware recovery,
VMware Live Cyber Recovery begins
integrated security and vulnerability analysis of the VMs.
Note: Currently, malware signature scans for Linux VMs do not report progress in the UI. The scan still occurs, but the progress indicator remains "in progress" even after the scan is finished.
|
In validation |
| Iterate security analysis and remediation |
View the snapshot timeline to analyze snapshot change rate and entropy rate. You can try a different snapshot for VMs, for example, so you can find a snapshot which has the least amount of entropy and a higher rate of compression. Badge snapshots for VMs you know are clean or infected. Monitor security events and alerts generated by integrated behavioral analysis and malware scanning. Inspect OS and application vulnerabilities from an integrated vulnerabillity scan. Manually patch vulnerabilities and remove malware. Guest file recovery. Recover individual files and directories from a VM snapshot, if you need to replace damaged files with the original one from an earlier date. Change the network isolation levels for VMs running on the recovery SDDC. Discard VMs in Recovery SDDC, if you validate VMs from different snapshots. Copy the IP address of a VM and open in vCenter. Open a VM in the security console for threat hunting and remediation. |
In validation / In backup (During analysis and remediation, VMs can be moved between in the backup and in validation states.) |
| Power off and stage validated VMs |
When you power off and stage validated VMs, VMware Live Cyber Recovery takes a snapshot of the VMs, which are used for recovery to a protected site. Restart validation from protected site snapshot. Restart validation iteration for VMs with the same or different snapshots. Badge snapshots that you know are clean or infected. |
Staged |
| Recover VMs |
You can recover staged validated VMs to the protected site where it originated. You can also recover VMs to another protected site, if you have other protected sites configured. If your original protected site is down, you can also recover and run VMs on the Recovery SDDC. After the original site is restored, you can fail back VMs from the recovery SDDC to the original protected site. |
Recovered |
| End Recovery |
When you are finished validating and recovering VMs, you can end ransomware recovery by stopping the recovery plan. |
N/A |
