A Closer Look at the Guided Recovery Workflow in VMware Ransomware Recovery

Overview

Ransomware recovery workflows tend to be more iterative in nature than traditional disaster recovery. As the recovery team begins to hunt for the intruder malware, spread of the problem, and determine the best recovery points, multiple work streams following a specific process are necessary to improve the odds of success. A guided workflow provides a structured approach to recovering multiple workloads from a variety of restore points. VMware Ransomware Recovery is designed to address these requirements by enabling a recovery team to work independently and in parallel to reduce recovery times.

Let’s take a closer look at the guided recovery workflow capabilities of the new VMware Ransomware Recovery solution for VMware Cloud DR.

In this post, I go over some of the key differences between a data center site disaster recovery and a ransomware recovery situation. Within the DR plan workflow considerations, there are sone additional areas where we can bring more order to the chaos that is typically encountered when suddenly confronted with the ransomware recovery situation.

These workflow related areas are:

1. Divide and Conquer
2. Iterations
3. Tracking

Before we dig into each of these areas in more detail, let’s take a quick look the basics of the recovery plan workflow for a ransomware situation. The guided workflow is a simple set of states that each VM goes through on its path to recovery. The states are backup, validation, staged, and recovered. More details can be found in the product documentation but can be summarized simply in the following diagram.

Here we see the VMs are processed independently, yet in parallel and can exist in one of the defined states backup, validation, stage, or recovered during the overall ransomware recovery activities. For this example, there are 4 VMs – one in each state. 

Divide and Conquer

One of the challenges with a ransomware attack is determining the scope and nature of the impact. It is possible that not all VMs in the production site have been affected in the same way or at the same time.

There is no magic one response action that can be applied across the entire inventory to resolve the issues. Instead, it is often necessary to process each VM – or groups of VMs – independently as you work through the recovery analysis, validation, and remediation stages.

When a recovery plan is initiated, the VMs included in the Protection Groups (PGs) for that plan are identified and placed into the VM list for processing. Each VM placed into the processing list can be processed through the workflow independently and concurrently. This individual and distributed handling of the VMs provides an ideal setup for a “divide and conquer” scaling approach that can be shared and coordinated across the infrastructure team during the recovery.

In the figure below, we can see more details about each VM being processed. The highlighted entry (W2K16-VM1) is still in the validation state. We’ll cover a bit on that in a bit. We can also see that there are some entries (W2K16-VM2) still in the Backup state – yet to be processed or possibly eliminated from the recovery as they do not need to be fixed. The VM list also shows one entry (W2K16-APP2) in the Staged state and ready for final recovery. And lastly, there is already one VM (W2K16-APP1) that has been fully handled and already Recovered back to the production site.

The VM list view shown above also provides easy access to some of the other workflow tasks such as Recovery Point iteration, Staging, and Discarding the VM (under the "OTHER" dropdown).

The guided workflow helps manage the concurrent processing of VMs in different states, all with the objective of either eliminating them from the recovery task or moving them to the final stage of recovered.

Iterations

When a Recovery Point is selected and brought into inventory, the Validation process can begin. During the Validation phase, there are other task-oriented capabilities provided to help best work through this iteration. The Toolkit options provided through the UI help automate and manage these tasks such as Guest File Restore, Network Isolation control, and other update and patching needs.

If this particular Recovery Point is not the ideal candidate, it is a simple process to “TRY DIFFERENT SNAPSHOT” as shown in the figure above.

The process of selection and starting the alternate VM recovery point in the Isolated Recovery Environment is the same simple process as with the initial recovery point selection task.

Note that as part of each iteration on the recovery Points and depending on recovery plan configuration, the VM is recovered into the IRE and the VMware Ransomware Recovery workflow automatically installs the security and analysis sensors into the virtual machine.

Tracking

Communication amongst the recovery team is further enhanced as part of the guided workflow. Each VM in the Validation state can be manually badged and annotated by the administrator to record the status of this recovery point as shown in the UI example below. As you work through each VM in this recovery plan, the recovery point badging feature can be used to track the status of that selection.

The Badge setting and any User notes supplied (shown above) are visible to anyone on the recovery team reviewing the status of this VM during the workflow.

Summary

The guided workflow provides an orderly stepwise process to handle each infected VM as they are safely analyzed and evaluated in the IRE allowing for easy and quick iteration over recovery points as desired and enabling the recovery administrators to annotate and tag their work with badges along the recovery path. 

For a quick overview of the guided workflow in action look at this Product Feature Demonstration Video.

For more details on other VMware Ransomware Recovery solution features , check out this playlist.

When ransomware recovery over multiple VMs is the course of action the VMware Ransomware Recovery guided workflow can help bring order and tracking to the tasks at hand.