Many ransomware recovery plans are based on restoring entire VMs. A ransomware attack doesn’t encrypt every file, so customers shouldn’t need to restore every file to recover. Normal day-to-day business functions routinely change data. These changes are coordinated across multiple files, databases, or even VMs. If you restore files that weren’t affected by a ransomware attack, you may lose transactions or even get out of sync with other systems.
A far better approach would be to incorporate a multi-layered approach such as Rubrik’s instant file recovery into a recovery plan that can make it easy to recover only what you need.
Let's discuss how Zaffre can take advantage of this.
The IT team can navigate to Haverford_Site > haverford-webapp-01 > var > www > html > wp-content > plugins folder as explained in the previous "Determining the blast radius" section.
Clear all the previously selected Suspicious and File Changes filters from the left panel.
Select all the rows of files on the page by selecting the box in the top row next to Name.
After selecting the files, notice that the Recover button becomes available.
Click on Recover and observe the various options available to recover the files.
For now, exit out of the recovery option. We will perform the recovery in a later section.
With Rubrik, multiple options for instant file recovery are available at your fingertips!
As Rubrik collects each backup snapshot’s metadata, it leverages machine learning to build a perspective of what is going on with the workload. The model is trained to identify trends that exist across all samples and classify new data by their similarities without requiring human input. The result is that Anomaly Detection detects anomalies, analyzes the threat, and helps accelerate recovery with a few clicks.
Anomaly Detection is available in the Rubrik Security Cloud as an application.
Anomaly Detection has a dedicated page that lists potential anomalous incidents with their location, cluster, file details, and snapshot time. If you have Cyber Recovery (discussed in a later section) enabled, objects that are part of a recovery plan will be grouped under that recovery plan.
By looking at this page, you now have an understanding of which systems and applications have been affected by the cyber attack.
Now, let's dive deeper into which folders and files are impacted.
Having access to this kind of information is invaluable. Keeping track of all the anomalies in your environment means that you can take the actions required to find the location of the anomalies and use clean snapshots to recover from the anomalies. There are multiple options for recovery, which we will discuss in the next section.
Expand the Haverford_site recovery plan and click on haverford-webapp-01 VM.
Navigate to Browse.
Expand the Suspicious filter from the left side and select Suspicious as the file type.
Browse and see exactly which files and folders have been affected. In this case, drilling down to var > www > html > wp-content > plugins.
You can now see that there are several files that have been encrypted.
Now that you have determined the blast radius, we can proceed to recovery.
Without the Anomaly Detection, it would be a "needle in a haystack" exercise to determine what systems, files, and folders were impacted and where the clean recovery point will be.
