After my previous blogs about this awesome all-in-one Disaster Recovery Solution, it is time for a brand new one, with the focus on the Recovery process.
VMware Ransomware Recovery for VCDR (High Level)
VMware Ransomware Recovery for VCDR part 2 (Configuration and interface)
This post is based on our brakeout session which we provided at the Dutch VMUG conference. In case you were not able to attend this session or in case you would like to watch it back, see the summary below.
1 Panic, Ransomware Infection!
Use case: The production environment has been compromised due to a Ransomware attack.
The video below (part 1) of the demo shows that a Ransomware has been compromised on the virtual machine VMUG02.
2 Initiate a Recovery (First Steps)
So let’s focus on the next step. This video covers the first steps tee keep in mind when you have to start with a recovery (proces) after a Ransomware infection. As you can see in this demo we already have a Recovery Plan in place including Protection Groups which is of great importance in order not to waste unnecessary time in such an emergency situation!
On the video you have probably noticed we have opened the recovery plan (NLVMUG).
As you can see, all the available virtual machine(s) are covered in this DR plan, called VM list.
During this demo we focus on the virtual machine called VMUG02.
For the Recovery of the virtual machine VMUG02 we select the virtual machine VMUG02 within this Recovery Plan and a new window pops up with the Guided Restore Point feature.
Initially, we choose a desired snapshot (RPO) for VMUG02 with a relatively high change rate, based on the least possible data loss. But keep in mind that this high change rate probably indicates that this virtual machine is infected by a Ransomware, probably caused by a process that encrypted all the virtual machines data.
Based on the previous step, a snapshot was mounted (provided by VMware Live Mount Technology) and it will be available in the IRE within a couple of minutes.
Since all snapshots are stored immutably, a clone is created in the background, and then it is attached to a host based on the NFS (data) protocol.
3 Choose a suitable RPO to validate.
In the previous step we discovered that the examined snapshot was not suitable for recovery, because it turned out to be infected.
Let’s go back to the VCDR console and recover another snapshot (RPO).
Based on the change rate (visible on the GUI), we have decided to select another (more appropriate) snapshot and initiated a new recovery proces.
You can follow the running tasks on the vCenter server from the IRE SDDC, which indicates the progress of the Live Mount proces.
During this proces we also have assigned a Badge to the previous snapshot (RPO) with the status compromised.
Let’s open vCenter and open the VM Console. We Log in to the Virtual Machine VMUG02 to validate the status of this specific snapshot / RPO.
Conclusion: We have discovered that this snapshot (RPO) has not been infected by a ransomeware infection.
Since we do not have time at this VMUG session for a Randsomware Behavior Analysis Scan, we skipped this as part of this demo..
4 Initiate a DR Recovery (Failback)
This part indicates that the production VM is still infected by ransomware.
From this point on, the healthy snapshot (RPO) will be restored to the production environment without mutations.
In the meantime the virtual machine VMUG02 is powered-off in the DR environment.
At this point, the recovery process starts by replication all the CBT to the production environment.
This process takes relatively little time and network traffic because only the damaged data needs to be restored
Once all the changed data has been replicated to production environment, this virtual machine will be powered-on, which is initiated automatically provided by VCD.
As you can see, the website has been recovered and is accessible again without a ransomware infection!
Joris and I really enjoyed providing this session, and hopefully you did too.
Thank you for participating.
In case you have any questions, feel free to reach out!
End of this post.
Disclaimer: This blog is based on my personal title and assumptions. No rights can be derived from this blog.