VMware Cloud Disaster Recovery

The Need for Ransomware Recovery as-a-Service: Introducing VMware Ransomware Recovery

Ransomware is the disaster of the decade. Ransomware attacks have evolved from scattered threats by small-time hackers into multi-stage, targeted campaigns from sophisticated criminal organizations and state-sponsored groups. Attackers today have quite a different modus operandi than they used to—they now encrypt backups and target critical infrastructure. One ransomware attack takes place every 11 seconds today (Cybersecurity Ventures, November 2020).

There are typically 5 steps in the ransomware protection and recovery process, as shown in Figure 1. Today, we will focus on the recovery process.

Figure 1. The Ransomware Protection Cycle

The Need for Ransomware Recovery as-a-Service

Traditional methods of recovery relying on backup catalogs can no longer meet the requirements to adequately protect data from ransomware, and more importantly, allow the user to restore full operations and clear the environment of malware after the attack. The primary reason for this, is that ransomware can remain undetected for a long period of time (the median dwell time is 11 days[1], but it could take months to detect in some cases), compromising backup copies and spreading laterally across the environment. This is what makes ransomware different from other recovery scenarios—before restoring backup copies, IT teams first need to know where to find them, and these need to be validated before restoring to make sure they’re free of malware. And here’s where it gets complicated. To summarize, the three key challenges organizations face when recovering from ransomware are:

  1. Identifying a recovery point: understand when anomalous activity occurred on systems to identify good snapshot candidates.
  2. Validating recovery points: analyze and scan recovery points to make sure they’re free of malware at recovery. Conduct this iterative process as fast as possible to avoid additional downtime.
  3. Minimizing data loss in the process: prevent re-infection by isolating candidate VMs within the Isolated Recovery Environment (IRE) until they’ve been vetted. Extract uncompromised, more recent files and folders from potentially compromised VMs for granular recovery.

Without the capability to identify anomalies in backup copies, IT teams are left with no choice but to play a guessing game amongst thousands of restore points. This makes finding a recovery point candidate a time-consuming, complex and resource-inefficient task.

In a scenario where the IT team identifies a recovery point, they will now have to validate it to make sure it’s free of malware. With traditional solutions, this requires an intervention from the Security team to scan each individual snapshot candidate. This adds operational burden, increases time to recovery and also compromises the chances of full recovery. As expected, this will have a direct impact on downtime and data loss.  

Unfortunately, those who don’t have a way to recover are left with the only option of paying the ransom, which doesn’t even guarantee they’ll regain access to their data. Actually, a staggering 92% of those who pay the ransom don’t regain full access to their data[2].

Trying to recover from ransomware with traditional backup methods is like fitting a square peg into a round hole. It may fit but there will always be gaps. And these gaps are becoming bigger and bigger as threats become more sophisticated and IT teams are increasingly overburdened. For this and many other reasons, organizations are gravitating towards cloud and as-a-Service solutions for their data protection operations. According to an IDC survey, 55% of organizations will manage core, edge and cloud data protection from the cloud by 2025[3]. Transitioning to a Ransomware Recovery as-a-Service (RRaaS) model will become an imperative for those looking to support their digital transformation initiatives while protecting their data.

To respond to these acute and complex challenges, organizations need a solution that has been purpose-built for ransomware recovery. And this is what we’re bringing to market with our newest release, VMware Ransomware Recovery. A predictable, reliable and cost-efficient solution that delivers on-demand Ransomware Recovery as-a-Service.

Innovations in Recovery: VMware Ransomware Recovery for VMware Cloud DR

Over the last couple of years, we’ve had the chance to talk to many customers across the globe whose systems had been hit by ransomware to better understand their procedures for recovery. Based on those learnings, we designed this new offering to deliver increased predictability in ransomware recovery (the workflow was inspired by Kuberflow pipelines) and build on the already-robust ransomware recovery capabilities in VMware Cloud DR, which uses a unique storage foundation with a two-tier architecture that is specifically designed for this use case. You can learn more about the Scale Out Cloud Filesystem in this blog.

VMware Ransomware Recovery is a purpose-built solution that addresses the key challenges in ransomware recovery mentioned above. It delivers the following core benefits:

  • Predictability in recovery: a guided ransomware recovery workflow spanning across identification, validation and restore of recovery points provides a step-by-step blueprint for organizations to navigate the ransomware recovery process. No more re-defining the workflow every time there’s turnover in IT ransomware recovery/DR personnel.
Figure 2. Invoking the Ransomware Recovery Workflow from the VMware Cloud DR UI

Streamlined selection of recovery point candidates: with guided restore point selection, IT teams can access insights on their recovery point candidates such as VMDK rate of change and file entropy. These are crucial to identify anomalous activity within the snapshot and therefore determine whether it’s a good candidate for recovery or not.

Figure 3. Restore point anomaly detection presents insights to identify recovery point candidates

Integrated curation of recovery point candidates: IT teams can invoke the embedded Next Gen AV and Behavioral Analysis feature to automatically analyze and validate powered-on recovery point candidates in an on-demand Isolated Recovery Environment (IRE). A security sensor will be installed in the snapshot to conduct a vulnerability assessment, malware scan and behavioral analysis. Users will be able to access insights on security alerts triggered by anomalous activity within the snapshot. This allows for a single team to manage the entire recovery operation through a single product, reducing IT burden, minimizing chances of error and lowering total cost of ownership.

Figure 4. Embedded Next-Gen AV and Behavioral Analysis
Figure 5. Example of a security alert
  • Prevent reinfection: users can leverage the on-demand IRE and pre-configured network isolation policies to prevent reinfection. These can be invoked directly from the workflow.
  • Fast recovery point iterations: thanks to the Live Mount capability, VMs can be instantly powered-on in the on-demand IRE without data rehydration and in their native format. This makes recovery point iterations simple and non-disruptive, minimizing overall downtime.
  • Reduced data loss: 30-minute RPOs and Granular Recovery play a key role in minimizing data loss during recovery operations. With high frequency snapshots, VM copies are replicated to efficient cloud storage as frequently as every 30 minutes and stored in an immutable fashion in the air-gapped Scale Out Cloud Filesystem. This delivers a deep history of snapshot copies to choose from at recovery. Granular recovery allows users to extract individual files and folders from VMs (without powering them on) to created merged recovery points that minimize data loss during restore operations.
  • Increased traceability of operations: with built-in audit reports, users can access insights on their DR operations performance, delivered directly from the SaaS-based console.

Ransomware is here to stay, and organizations of all sizes should be prepared to face the challenges it brings. Purpose-built solutions for ransomware recovery will give organizations who use them a competitive advantage, allowing them to remain more agile and highly operational within the threat landscape through predictable recovery. Business agility and operability will be driven by easy identification, curation and restore of recovery point candidates in the ransomware recovery process. Get back in business faster with VMware Ransomware Recovery.

Ready to learn more?

Visit our webpage

Contact Sales

[1] Sophos: The Active Adversary Playbook 2021

[2] Sophos State of Ransomware 2021

[3] IDC Market Forecast: WW Data Replication and Protection Software Forecast, 2022-2026