We’ve explored what you can do to try to reduce the risk of a ransomware attack in your VMware environment, but sometimes despite our best efforts environments are still compromised. Let’s explore what you can do to get ahead of things and protect your environment so you can recover after an attack.
There are two things you need to think of when it comes to protection: the VMware environment itself, and the virtual machines (VMs) running in the environment. The goal of everything you do today is to be able to recover from ransomware tomorrow.
When it comes to protecting your VMware environment, there are two main components: VMware vCenter Server, and the ESXi hosts. You can back up vCenter, but you may not actually use the backup in the event of a ransomware attack.
There's a misnomer out there that ESXi hosts should be backed up, but this is simply not the case. What’s important is to either back up the configuration of the host or have a way to rapidly rebuild and reconfigure your hosts.
I’m a fan of the second option. You should be able to redeploy and reconfigure ESXi quickly, in an automated fashion. This is something that should be tested frequently. Because VMware tends to “just work,” most people haven’t installed ESXi in ages. Back when they did, it was a manual process.
The hosts are useless after compromise, and should be wiped clean and rebuilt. Your host is not special—it’s nothing but a collection of resources for your VMs. It doesn’t need special care and feeding like a pet, but it does need to be patched and kept up-to-date, which we’ve talked about.
Depending on the level of compromise during a ransomware attack, it may be safer to quickly re-deploy a new vCenter and ESXi hosts than restore vCenter from backup. Often the issue during a ransomware attack is that you may not know the full scope of the damage when you begin to recover.
In this situation, it’s also good to have multiple recovery locations planned. For example, you may want to have a small cluster in a VMware Cloud Solution ready and waiting for your workload, and scale it up after an attack.
This gives you quick and easy access to an uncompromised VMware environment to help you speed up recovery time. This brings us to our next point of discussion.
While I have a pretty cavalier attitude when it comes to protecting the VMware environment itself, I have a different attitude when it comes to protecting VMs—they must be protected! You want multiple copies of your data when it comes to VM backups, especially ones that are offsite, and even offline.
Why? Simple. The threat actors have detailed playbooks when it comes to destroying your environment, and want you to pay the ransom. They have instructions on how to target your backup infrastructure, and will try to delete or encrypt your backups.
You need to make sure all VMs are backed up. To do this and make sure you don’t face any availability caps, you need to make sure you have a good understanding of every application in your environment and its components.
We've all dealt with an app that's super old, on an outdated operating system, but is still somehow a critical part of business operations. Its longevity mean there’s a surprisingly good chance it isn’t being backed up properly.
While many organizations have data protection for VMs down to a science today, that may not have been true when the app was first deployed. Now is the time to do any due diligence needed to make sure all assets are protected. It’s also a good idea to make sure you’re protecting apps according to their criticality.
For the most mission-critical apps in your environment, a daily backup may not be enough. Once you have the VMs protected, it’s time to make sure the data protection matches their business requirements.
Once you have a base level of protection in the environment and are confident you can meet your recovery point objectives (RPOs), it’s time to focus on recovery time objectives (RTOs). This is where multiple copies of your data come in. You want to make sure you have a copy of your VM backups in every location you want to recover to ahead of time, and beyond.
If you plan on recovering to your second data center, you should have a copy there. If you plan on recovering to a service provider, colocation facility, or VMware Cloud Solution, you need to have a copy of your VM backups there.
Besides making sure you can meet your RTOs, multiple copies of your data also helps reduce risk, since you know threat actors will target your backup environment.
There’s no silver bullet solution to protecting VMware and your VMs from ransomware, but there are things you can do today to make sure you can recover tomorrow. You must assume that at some point your environment will be compromised, and you’ll need to recover accordingly.
Once these plans are in place, you should test them on a regular basis, not only so you can practice, but so you can find any problems with your recovery plans before you need to use them.