License editions: To understand the applicable license editions, see Plans & Pricing.

Introduction

The risk of a cybersecurity failure is no longer limited to the reputation of a company, or something to be borne by its customers, but is an existential risk to the company itself. Ransomware extorts the business with the one universal thing all businesses value – their own data. Needless to say, you need to be well prepared for this danger.

In this article, we will help you understand how Ransomware Recovery by Druva can help save the day in case you are unfortunately attacked by ransomware.

In case of an infection, to quarantine is to isolate the infected parts in order to contain the infection and not allow it to spread. To this effect, Ransomware Recovery enables you to quarantine infected snapshots (Recovery Points) on the impacted resources, which helps safeguard your system from further infection by barring users or administrators from downloading or restoring data to other resources.

To reduce downtime and loss of productivity, you can restore the data from the latest secure snapshot that you deem safe and get the resource operational again.

Here's how you can use Ransomware Recovery to quarantine infected snapshots (Recovery Points) in the following ways:

Manually search for the impacted resource and quarantine the infected or all the snapshots (Recovery Points).
Integrate Ransomware Recovery with third-party security and incident response solutions and automate the response to quarantine the resources using Ransomware Recovery APIs.

Know the impact of quarantining

After you quarantine snapshots (Recovery Points), access to the quarantined snapshots (Recovery Points) is blocked for the administrators and the users of that resource.
Administrators and users cannot download data or restore data from the quarantined snapshots (Recovery Points).
You can identify quarantined snapshots (Recovery Points)by the quarantine icon displayed beside the snapshot name in the Restore Data window. For more information about quarantined snapshots (Recovery Points) restore, see Quarantine EC2 Recovery Points.

❗ Important

The data in the unquarantined (clean) snapshots (Recovery Points) of the resource are still accessible and can be viewed, downloaded, or restored by administrators.

Decide your approach

Druva enables you to set up your response to the Ransomware Recovery. You can either manually quarantine snapshots (Recovery Points) on an impacted AWS Workloads (EC2, EBS Volume) or automate the quarantine process using Ransomware Recovery V2 APIs.

The Quarantine feature is exclusively supported for snapshots created via a Druva Cloud backup policy, specifically when the Snapshot + Backup to Druva Cloud option is selected. Snapshots created with only the Snapshot option as part of a snapshot orchestration backup policy cannot be quarantined.

Manually quarantine infected snapshots (Recovery Points)

The manual way of quarantining the snapshots (Recovery Points) on a resource is helpful when you get to know about an impacted AWS Workloads (EC2, EBS Volume) from a trusted source such as the administrator themselves or alerts raised by your security infrastructure and antivirus software about a potential risk.

Prerequisites
Identify the potential date when the resource was infected by ransomware. It helps you decide from which date onwards you want to quarantine the snapshots (Recovery Points)on the resource.

📝 Note
If you are unaware or not sure about the date, you can start quarantining the snapshots (Recovery Points) of the impacted resource from the current date or from January 6, 2020, a system-defined limit, before which you cannot quarantine snapshots.

💡 Tip

You can always talk to the people in your organization whose AWS Workloads (EC2, EBS Volume) are impacted and track their potential activities, such as the files they downloaded or interacted with on a particular day that infected the AWS Workloads (EC2, EBS Volume).

Choose the best way to quarantine the resource

You can manually quarantine AWS Workloads (EC2, EBS Volume) using any of the following available methods -

Search and then quarantine a resource - Use this option when you want to search for an impacted resource, identify the snapshots (Recovery Points), and then take quarantine action on the snapshots. To use this option, see Search and quarantine a resource.
Quarantine resources in bulk using CSV - Use this option when you have to quarantine multiple AWS Workloads (EC2, EBS Volume) and have the following information available with you to save on your efforts -
- Organization Name - The name of the organization that contains the AWS Workloads (EC2, EBS Volume) that you want to quarantine.
- AWS Account Name - The AWS account to which the resource belongs.
- Resource ID: The unique resource or instance ID for AWS Workloads (EC2, EBS Volume)
- Resource Type - The resource type that you want to quarantine. For example, AWS Workloads (EC2, EBS Volume)
- From Date - The date from which you want to quarantine the snapshots (Recovery Points), in the YYYY-MM-DD format. This should be the date on which the virtual machine was impacted. If you do not enter a date, it will start quarantining all snapshots of the virtual machine from January 6, 2020.
- To Date - The date till which you want to quarantine the server, in the YYYY-MM-DD format. If you want to quarantine snapshots (Recovery Points) in a specific time period, enter the date until which you want to quarantine snapshots. If you do not enter a date, Druva will keep quarantining snapshots indefinitely.
  To use this option, see Quarantine snapshots in bulk using CSV.

Search and quarantine a resource

Use this option when you want to search for AWS Workload (EC2, EBS Volume), identify the snapshots (Recovery Points), and then quarantine them.

Procedure

From the DCP Console go to Global navigation menu-> Ransomware Recovery.
On the left pane, click Quarantine Bay to view a list of all quarantined resources.
Click Add Resources > Find Resources. Select AWS Workload (EC2, EBS Volume) as the resource type.
Search for the impacted AWS Workload (EC2, EBS Volume). You can search for AWS Workloads using either one or a combination of the Organizations, AWS Accounts, Regions, and Match criteria - Resource Name or Tags. Click Search.
Select the resource for which you want to quarantine the snapshots (Recovery Points) and click Next.
On the Quarantine Snapshots page, select one of the following based on the information available to you -
- Snapshots within date range - Choose this option only if you are sure about the dates when the resource was impacted. If you are not sure about the date choose the next method: Quarantine all snapshots.
  When you choose quarantine Snapshots within the date range, you can specify and add one or more date ranges to quarantine all the snapshots for the selected resource within the defined ranges. All the snapshots formed on the AWS Workloads( EC2, EBS Volume) due to backups within the defined ranges will be moved to a quarantine state.
  
  ❗ Important
  - You can select snapshots (Recovery Points) for quarantine not earlier than January 6, 2020.
  - UTC timezone is used to quarantine a resource. You must factor in the difference between the server time zone and UTC zone while selecting the dates.
- Quarantine all snapshots - Choose this method if you are unsure about the exact date when the resource may have been impacted. When you choose - Quarantine all snapshots - it will quarantine all the snapshots (Recovery Points) after January 6, 2020 (a system-defined limit) and keep quarantining all the future snapshots formed due to AWS Workloads( EC2, EBS Volume) backups.

7. Click Finish.

Quarantining of snapshots (Recovery Points) starts based on the selection of options mentioned above. See What's next to take the suggested course of action.

Quarantine snapshots in bulk using CSV

Use this option when you want to quarantine snapshots (Recovery Points) for multiple AWS Workloads (EC2, EBS Volume) resources.

Procedure

On the DCP Console dashboard go to Global navigation menu-> Ransomware Recovery.
On the left pane, click Quarantine Bay to view a list of all quarantined resources.
Click Add Resources > Import CSV. The Import Resources to Quarantine Bay dialog box appears.
Select AWS Workloads as the Resource Type.
Browse to select a specific CSV file. If you do not have a CSV file handy, you can use the Download the sample CSV file option.
Open the CSV file and provide the following information in the required format:
- Organization Name - The name of the organization that contains the AWS Workloads (EC2, EBS Volume) that you want to quarantine.
- AWS Account Name - The AWS account to which the resource belongs.
- Resource ID: The unique resource or instance ID for AWS Workloads (EC2, EBS Volume)
- Resource Type - The resource type that you want to quarantine. For example, AWS Workloads (EC2, EBS Volume)
- From Date - The date from which you want to quarantine the snapshots (Recovery Points), in the YYYY-MM-DD format. This should be the date on which the virtual machine was impacted.
  
  ❗ Important
  If you do not mention any date, it will start quarantining all snapshots (Recovery Points) of the virtual machine from January 6, 2020.
- To Date - The date till which you want to quarantine the virtual machine, in the YYYY-MM-DD format. If you want to quarantine snapshots (Recovery Points) in a specific time period, enter the date till which Druva should quarantine snapshots.
  ❗ Important
  If you do not mention any end date, it will keep quarantining snapshots (Recovery Points) indefinitely.
Save the CSV.
On the Import from CSV dialog box, select the CSV file and click Import.

After the CSV is validated, the snapshots (Recovery Points) on the AWS Workloads (EC2 and EBS Volume) of the organizations mentioned in the CSV are quarantined.

You have successfully quarantined the infected resources, which will now help contain the ransomware attack. Refresh the Quarantine Bay page to view the quarantined list of AWS Workloads (EC2 and EBS Volume) resources.

What’s next?

Now that you have quarantined the infected snapshots (Recovery Points), you might be wondering what to do next. You can take the following actions to contain the ransomware and bring up the resources to resume productivity.

❗ Important

We highly recommend that you work with your Data Security and IT teams to take appropriate steps to resolve such a situation.

Share the impacted AWS Workloads data with the Data and Information security team of your organization for further analysis of the infected data and the AWS Workloads (EC2 and EBS Volume).
Allocate a new EC2 instance or a new EBS Volume to the user. Once you replace the EC2 instance or a new EBS Volume, ensure that you unquarantine future snapshots (Recovery Points) of the impacted EC2 instance/EBS Volume. Otherwise, Druva will keep quarantining the snapshots even in the new AWS Workload (EC2, EBS Volume). To unquarantine a resource, see Unquarantine a resource.

Unquarantine a resource or remove a resource from quarantine bay

After you have completed the required inquiry into the impacted resources with the help of your Data Security and IT teams, you may find that some resources were falsely marked as ransomware-impacted. In this case, you might want to remove the resource and the snapshots (Recovery Points) from the quarantined state and mark it as clean!

When you unquarantine a resource, it removes all the specified or defined quarantine ranges for that resource from the quarantine state.

After you unquarantine the resource, administrators and users can again securely restore and download data from those clean snapshots (Recovery Points), resulting in no data loss.

Procedure

From the DCP Console go to Global navigation menu-> Ransomware Recovery.
On the left pane, click Quarantine Bay to view a list of all quarantined resources.
Select the resource that you want to remove.
Click more options > Remove from Quarantine Bay.

Once removed, users and administrators can access the data in the unquarantined snapshots (Recovery Points) and can download and restore it.

Delete infected snapshots of a resource

❗ Important

You cannot delete snapshots (Recovery Points) of a resource if Data Lock is enabled for that resource in the backup policy. You may not see a Data Lock icon besides a Non-Air Gap AWS Workloads (EC2 and EBS Volume) despite the snapshot having Data Lock enabled.

You might have to clean the existing EC2 instance/EBS Volume or provide a new EC2 instance or a new EBS Volume to the user after your Data or Information Security teams have completed their analysis on the impacted EC2 instance/EBS Volume.

After receiving access to the new EC2 instance/EBS Volume, the user can restore the last clean snapshot of the old EC2 instance/EBS Volume. Once the restore activity is complete, you can delete the infected snapshots (Recovery Points) of the AWS Workload (EC2/EBS Volume).

💡 Tip

Snapshot deletion is irreversible. You cannot access or recover any data from the deleted snapshots (Recovery Points), which are not displayed in the Restore Data window in the Druva Management Console.

Procedure

On the DCP Console dashboard, go to Global navigation menu-> Ransomware Recovery.
On the left pane, click Quarantine Bay to view a list of all quarantined resources.
Click the resource name to view the snapshots (Recovery Points) of that resource.
Click the Snapshots tab. The list of all the infected snapshots (Recovery Points) is displayed. Select the snapshot to be deleted and then click Delete Snapshot.
On the Confirm Deletion confirmation pop-up, specify the reason for deletion (the reason is mandatory with a character limit between 10-150) and then click Delete. Data, once deleted, cannot be retrieved. The reason for deletion will be captured in the Audit Trail for auditing purposes.