Disaster Recovery

What Entropy and Change rate metrics mean in VMware Ransomware Recovery

VMware Ransomware Recovery is an excellent tool for protecting and retrieving data from ransomware attacks. You can find the tool as an add-on in the VMware Cloud Disaster Recovery service.

The service works by creating snapshots (a point-in-time backups) which are taken at a certain time.

Protected site snapshot timeline

In the example, we see a timeline with backups (snapshots) and the metrics Change rate and Entropy. These two metrics will help us better guess the snapshot that is taken before the malicious attack.

To understand the metrics, we must know that for every new snapshot, only the new or modified data will be saved in the cloud.

The Change rate measures the amount of changed bytes (comparing previous vs new snapshot). Taken at face value, the change rate metric might show fluctuations. For example, during rush hours or in high seasons, the change rate might be higher than usual. This does not mean that something malicious is happening.

The term Entropy means a state of disorder, randomness, or uncertainty. Let us say we have a document file, and we take a snapshot. It will transfer the whole file to the cloud backup. Add a new page, take another snapshot, and for the new backup it will transfer only the new page. But if the document is encrypted, the backup will contain the whole file again.

Transferring the whole file, when it is not newly created, leads to a larger size, which is abnormal. You might say that we do not expect this size and it might be random.

Protected site snapshot timeline

On the screenshot above, we see 3 snapshots. If we had only Change rate, we might guess that an attack is happening between the second and the third snapshot, because between the first and the second nothing much is changed. But on the Entropy graph, we see that suspicious activity is happening also between the first and second snapshot. It is likely the second snapshot is already infected, so the first one is a better candidate for validation and subsequent recovery.

When used together, these metrics in VMware Ransomware Recovery can give you a better understanding when there is a ransomware attack.

For more information, you can check out our Snapshot Timeline documentation.

Follow the VMware DR Community Team on Twitter @VMware_DR_team and send us any feedback.