VMware Cloud Disaster Recovery

Re-Imagining Ransomware Protection with VMware Ransomware Recovery

Ransomware is a Modern Menace

Ransomware is becoming a key challenge for enterprises. In 2022, 66% of them were hit with a ransomware attack, after which 96% did not re-gain full access to their data.1 In fact, 36% of disaster recovery events are caused by ransomware in the first place!2 By 2024, the global damages caused by ransomware are estimated to exceed $42 billion, essentially doubling every year.3 

VMware is taking a game-changing approach to detect and stop ransomware attacks, and recover from them much more reliably, rapidly, and securely. 

Ransomware Detection and Recovery

Ransomware recovery is a critical last line of defense against ransomware attacks. Ransomware has been evolving a lot over the last years, roughly falling into two categories, with corresponding ransomware protection strategies: 

Traditional Ransomware

1989 – 2017

An attacker inserts malicious code in executables. When executed, the malware is activated and encrypts other files.

Modern Ransomware

2017 – Today

Fileless attacks leverage legitimate programs (e.g., memory-based). They leave no filesystem traces and are hard to detect. 

Phase 1: Ransomware Detection

1.1 Identify: Enumerate recovery point targets 

1.2 Protect: Take snapshots and back them up 

1.3 Detect: Find anomalies in the backups

Phase 2: Ransomware Recovery

2.1 Respond

  • Activate isolated recovery environment
  • Guided restore point selection 
  • Restore snapshot and observe workload 
  • Evaluate using behavioral analysis 
  • Final inspection 

 2.2 Recover: Minimize data loss 

Traditional ransomware recovery is built on immutable air-gapped backups combined with filesystem scanning to detect ransomware traces. This entails a number of challenges, including: 

  • Ransomware evasion: Modern ransomware is fileless and “Living-off-the Land”, so it leaves no filesystem traces, and it isn’t detectable by file scanning or filesystem metadata introspection. 
  • Infected recovery points: Undetectable infected backups compromise recovery points. 
  • Workload re-infection: Infected backups can reinfect production workloads after recovery. 
  • Long recovery times: Restoring and re-instantiating workloads is a tedious manual process, and reinfections lead to lengthy trial and error recovery point iterations. 

Ransomware has become a complex problem that can cause significant downtime. Recovering from ransomware isn’t just a security team problem anymore – it is a wholistic infrastructure problem that involves identifying ransomware, protecting workloads, and securing perimeters. This is right in VMware’s wheelhouse. 

VMware Ransomware Recovery as-a-Service (RRaaS) 

VMware combines a high-performance filesystem, full-stack workload analysis, built-in adaptive distributed firewalling, and a multi-cloud platform that can spin up secure SDDCs on demand into a comprehensive cloud-integrated ransomware recovery service (RRaaS) that can reliably and rapidly recover from ransomware attacks. 

Some unique components and key innovations of VMware RRaaS are: 

  • Behavioral analysis: Next-generation anti-virus software uses embedded security sensors to perform self-improving behavioral analysis to detect ransomware that is only observable when the workload is executing. 
  • Isolated Recovery Environment (IRE): Fully-managed and cloud-integrated (i.e delivered “as-a-service”) IREs contain ransomware in secure sandboxes that prevent its lateral movement and reinfection of production environments through network isolation with adaptive distributed firewalling. 
  • Integrated recovery point selection: Live-mounting workloads in the IREs allows to safely stage and iterate recovery points, and assess VMDKs through behavioral analysis before redeploying them into production environments. 
  • Assisted recovery: Curated step-by-step guided recovery workflows provide assisted recovery point selection that allows fine-grained restoring of production environments with minimum delay and data loss. 

As a result, VMware RRaaS provides the industry-leading reliable, rapid ransomware recovery service. 

Don’t just take our word for it: A recent GigaOm report depicted VMware as the only “Outperformer” in its disaster recovery as-a-service category – highlighting VMware RRaaS as “the stand-out development across all vendors.”4 

VMware RRaaS Vision 

And we’re not stopping there. VMware RRaaS is sophisticated and comprehensive, but it’s a responsive and not a preventive service, because, by the nature of the phase it covers, it works only post-encryption. 

So looking ahead, our vision is to extend VMware RRaaS from a medicine for ransomware to a vaccine that provides frictionless protection of primary storage against ransomware. We’d integrate ransomware detection and recovery directly into production VMware vSAN clusters (locally, or with help of a secondary VMware vSAN cluster for analysis), which lowers the setup complexity and accelerates the response times to minutes – near-real time, unlike backup driven-systems, which typically only run on a daily cadence. 

This way, we’d bring ransomware detection and response as close as possible to the actual attack, collapsing the ransomware exposure window and tightly containing the infection. Join us at VMware Explore 2023 to learn more about our VMware RRaaS vision! 

Industry-Leading Ransomware Protection 

VMware RRaaS is a fully managed, cloud-integrated service that provides reliable, rapid, and secure recovery from existential ransomware threats with comprehensive automation in a single, integrated experience. Our vision is to complement this effective cure from ransomware attacks with a potent vaccine that protects against them in the future. 

In summary, VMware provides industry-leading protection against ransomware attacks, and we continue to work hard to protect our customers against this modern menace. 

1 Sophos. The State of Ransomware 2022
2 VMware customer survey. 
3 Cybersecurity Ventures. Global ransomware damage costs predicted to exceed $265B by 2031.  
4 GigaOm. Radar for Disaster Recovery and Business Continuity as a Service, 2022.