Two-thirds of organizations worldwide experienced a ransomware attack in 2021. Of those, 65% had their data encrypted. Ransomware attacks are no longer a matter of if, but when. On top of this, ransomware attacks have become more complex, causing months of downtime and $20 billion in global damages. How did this happen?
The Evolution of Ransomware
Ransomware attacks have evolved over the past five years to become more sophisticated and evasive. Historically, most ransomware attacks were file-based. Attackers would entice users to open certain types of files, and when opened, execute malicious code. A few years ago, however, fileless attacks started to emerge and proliferate. A fileless attack is one in which the attacker uses existing software, legitimate applications, and authorized protocols to carry out malicious activities. Examples include embedding malicious code directly into memory and hijacking native tools such as PowerShell to encrypt files. In the notorious Log4j vulnerability that exposed hundreds of thousands of systems to attacks, cybercriminals were able to remotely inject malicious code into a target network and gain control. More and more attackers are moving away from traditional malware – in fact, most attacks today exclusively use fileless techniques. Modern ransomware is impacting organizations of all types and sizes, and making it harder for firms to detect and recover from ransomware attacks.
What You Need to Recover from Modern Ransomware
Modern ransomware presents some key challenges that require organizations to have several critical capabilities as part of their ransomware recovery solution:
Next-Generation Antivirus with Behavioral Analysis
Modern ransomware uses legitimate programs and are never written to disk themselves, so they cannot be detected by traditional file scanning of at-rest backup copies. They are only observable by leveraging next-generation antivirus with behavioral analysis, which uses AI/ML to look for abnormal behaviors in running workloads.
Next-generation antivirus with behavioral analysis needs to be part of your recovery solution to ensure that the restore point is free of modern ransomware strains.
Isolated Recovery Environment
Fileless attacks can remain undetected and dormant in the backups and reactivate themselves when the backup VMs are powered-on again. This is because the first two priorities of the bad actors are to establish persistence and then to enable command-and-control capabilities. Restoring VMs without identifying and removing these attack points during the remediation process could re-introduce ransomware back into the production environment, causing more harm than good.
The recommended approach is to restore the backup data to an isolated recovery environment, which is a dedicated and secure environment that isolates the powered-on VMs from other networks, the internet, and other VMs in the isolated recovery environment. Using an isolated recovery environment allows the remediation process to proceed without encountering external ransomware triggers and without the risk of infecting other workloads.
Automated Ransomware Recovery Workflow
Recovering from modern ransomware involves multiple parts of the IT infrastructure, including backup storage, next-generation antivirus with behavioral analysis, advanced software-based firewall rules to isolate the VMs and prevent reinfection, and an isolated recovery environment for staging and validating the VMs. In addition, multiple teams and processes need to come together to get the business back up and running.
To minimize downtime, organizations must have an automated, end-to-end ransomware recovery workflow that brings together all these elements.
The VMware Ransomware Recovery Advantage
VMware Ransomware Recovery is a fully managed ransomware recovery-as-a-service solution that delivers confident recovery from existential threats, quick recovery with guided automation, and simplified recovery operations. VMware is the only vendor that provides the critical capabilities necessary to recover from modern ransomware attacks in a single, integrated solution. Here are our unique advantages:
Embedded Next-Generation Antivirus with Behavioral Analysis
VMware Ransomware Recovery embeds next-generation antivirus with behavioral analysis directly into the ransomware recovery workflow to help you identify both file-based and fileless attacks during the recovery process. Once you select the recovery point candidates, VMware Ransomware Recovery automatically installs the sensor and performs live behavioral analysis of powered-on workloads to help you curate recovery points prior to restore.
Fully Managed Isolated Recovery Environment with Push-Button VM Network Isolation Levels
VMware Ransomware Recovery delivers a fully managed isolated recovery environment with push-button VM network isolation levels. This enables you to prevent reinfection at recovery. It also eliminates the need for you to build, secure and manage your own isolated recovery environment and to manually configure firewall rules and VM isolation policies. VMware Ransomware Recovery then performs behavioral analysis of the workloads running in the isolated recovery environment to ensure the VM is safe to restore back into a production environment.
End-to-End Guided Ransomware Recovery Workflow
VMware Ransomware Recovery streamlines and automates recovery with an end-to-end ransomware recovery workflow, which integrates identification, validation, and restore of recovery points. You can consume a single SaaS solution for the entire ransomware recovery operation, and leverage functionalities that boost collaboration between the Infrastructure and Security teams.
A Modern Solution to Combat Modern Ransomware
Modern problems require modern solutions. VMware Ransomware Recovery brings together the capabilities of multiple proprietary, industry-leading products at VMware, including VMware Cloud Disaster Recovery, VMware Carbon Black, VMware NSX, and VMware Cloud on AWS. VMware Cloud Disaster Recovery stores the backups in the cloud and provides the guided ransomware recovery workflow that streamlines and automates recovery. The solution leverages VMware Cloud on AWS to provide a fully managed, on-demand isolated recovery environment for staging and validating the VMs. VMware NSX advanced firewall rules micro-segment the VMs into tiny, isolated environments to prevent lateral movement and reinfection. The solution automatically injects VMware Carbon Black into the VMs to perform next-generation antivirus with behavioral analysis. All of this is presented as a single, cohesive experience to you through a cloud-based UI. As the industry’s first and only purpose-built ransomware recovery-as-a-service solution, VMware Ransomware Recovery is uniquely positioned to help your organization confidently and quickly recover from modern ransomware.
Take the Next Step
VMware Ransomware Recovery is available to all customers and partners. To learn more, visit our webpage and contact your sales representative or partner.