If a VMware virtual machine that you've been backing up with Hybrid Workloads (Phoenix) is afflicted by ransomware, you can immediately contain the spread and recover from the attack. The Ransomware Recovery service by Druva allows you to quarantine all the affected snapshots of this virtual machine. Once you quarantine a snapshot, you cannot restore any data from it, limiting the scope of the ransomware attack as a consequence. For more information on quarantining a VMware resource, editing the quarantine range, un-quarantining a snapshot, or deleting quarantined snapshots, see Ransomware Recovery for VMware.
This article explains the impact quarantining a snapshot has on virtual machine restores, MS SQL point in time restores, or VMware instant restores. It also describes how the Hybrid Workloads (Phoenix) computes the quarantine range.
Restores from quarantined snapshots and quarantine range
You cannot perform VM restores, MS SQL restores, and VMware Instant Restores from quarantined snapshots. You can only restore from snapshots that are deemed safe and haven’t been quarantined in Ransomware Recovery.
Note: The Files and Folders hierarchy view is not displayed in the restore dialog box if you perform a VM Restore from a quarantined snapshot. A snapshot needs to be mounted before the files and folders list can be displayed. Druva blocks mounts of quarantined snapshots.
The quarantine range displayed on the Restore MS SQL Databases page for SQL Point in time and Transaction Mark Restores may be larger than the quarantine range defined in Ransomware Recovery. Here is why: During a SQL point in time restore, Druva Phoenix first restores the snapshot created for the full backup and then restores all the snapshots created for log backups. If any snapshot is quarantined in Ransomware Recovery, Druva Phoenix automatically quarantines all snapshots linked with the quarantined snapshot. This makes the quarantine range in Hybrid Workloads (Phoenix) larger than the range specified in Ransomware Recovery.
For Transaction Mark Restores, Hybrid Workloads (Phoenix) does not consider the transaction mark creation time but quarantines all the snapshots linked to the quarantined marked transaction log. Again as a consequence, the quarantine range in Hybrid Workloads(Phoenix) becomes larger than the range specified in Ransomware Recovery.
The extended quarantine range is computed as follows:
|Snapshot quarantined from Ransomware Recovery||Quarantine range in Hybrid Workloads (Phoenix) includes|
|Snapshot associated with a full backup||The full backup snapshot and all associated log backup snapshots.|
|Snapshot associated with a log backup||The log backup snapshot and all subsequent log backup snapshots.|
|No snapshots found in the quarantined range||All log backup snapshots created after the quarantined range.|
In the following example, we quarantined full and log backup snapshots for a VMware resource in Ransomware Recovery from February 24, 2022, to February 26, 2022.
The quarantine range displayed in Hybrid Workloads (Phoenix) is from February 24, 2022, to March 02, 2022. The quarantine range is larger than the ransomware recovery range because, in addition to the quarantined snapshots, all linked log backup snapshots have been quarantined as well.