VMware Ransomware Recovery – How it works?

VMware Ransomware Recovery is a new service from VMware that helps you to recover from ransomware. It helps to check the restore points within an isolated cloud environment and see whether they're not infected after the ransomware attack. Unfortunately Ransomware is here to stay and we'll have to deal with it, fight it. But for this one need tools, free resources or spare hardware.

VMware solution which we can call Ransomware Recovery As-a-Service could potentially be a excellent option for some customers, because you'll be using this service, when needed. How is the architecture looking and what's in?

Many attacks uses file-less methods which cannot be detected via traditional file scanning methods. VMware can use behavior detection based methods to scan the restore points in order to detect ransomware or identify a clean restore points.

The process works as follows:

The system will power-on the virtual machines, check for malware in memory, and observe suspect network traffic, such as connections to ransomware sources on the Internet.

This is the overview screen (from a VMware demo video that you can watch here).

Four Steps:

1. VMware creates a safe recovery environment where you can spin your recovery points for testing purposes. This is a greenfield deployment running in AWS. It's a pre-built construct which you can customize with some options such as NSX-T etc…
2. Pick a restore point you want to test. For this go to your Recovery plans > Select the plan > Select your VM > Pick a snapshot and then click the Start VM in Recovery SDDC.

You can see that the choice of snapshot can be done on a change rate (just before the spike!) to select a clean snapshot.

3. Once you validate the recovery point, you can validate and scan them before restoring them back to production. You can initiate different option for the malware detection. Note you can also initiate a guest file restore within the UI, to pick only the files you need to recover.

4. Recover to production

The way to stay resilient even if the attack get through is quite crucial today. Without a proper tool, without proper plan you will get caught. The VMware ransomware recovery is here and provides value to organizations that does not have their proper DR isolated site where to restore and do testing of snapshot within isolated environment.

Your Backup and recovery solution might be also here to help. Veeam Backup & Replication uses the mount server as a staging server for scanning machine data with antivirus software. But we will report on this in another post.

Source: VMware

• VMware vCenter Server 8.0 U1b resolves further upgrade issues and adds bunch of security patches
• VMware vCenter Server Appliance 8.0U1a Released
• VMware vSphere 8.0 U1 Announced
• VMware vSAN 8.0 U1 What's New?
• vSphere 8.0 Page
• Veeam Bare Metal Recovery Without using USB Stick (TIP)
• ESXi 7.x to 8.x upgrade scenarios
• A really FREE VPN that doesn’t suck
• Patch your ESXi 7.x again
• VMware vCenter Server 7.03 U3g – Download and patch
• Upgrade VMware ESXi to 7.0 U3 via command line
• VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
• What is The Difference between VMware vSphere, ESXi and vCenter
• How to Configure VMware High Availability (HA) Cluster
• Homelab v 8.0 
  • NXJ6412 Maxtang EHL30 TPM Alert in vCenter Server 8.0 BIOS Config
  • vSphere 8 Lab with Cohesity and VMware vExpert gift – Maxtang’s NX 6412 NUC
  • VMware Cohesity vExpert Gift VMware EXPLORE 2022 Barcelona