This content is part of the Essential Guide: Understand VMware disaster recovery from start to finish
Problem solve Get help with specific problems with your technologies, process and projects.

What to do when a CryptoLocker virus attacks

Before a cryptovirus strikes, test and airgap your backups to make sure they work. Should you find yourself under attack, think carefully about your recovery process.

The CryptoLocker virus turns your virtual servers -- the life of your data center -- into encrypted blocks of data waiting for an unlock code. Although no fix is ever completely effective, there are methods to more easily and safely recover your virtual data.

CryptoLocker viruses are a form of malware that encrypts your data or servers and demands a ransom payment -- normally in bitcoin -- to gain the decryption key. Although such viruses don't directly attack VMware, this Windows-focused attack can wreak havoc on your virtual environments. Some victims have paid the ransom, but paying doesn't guarantee the safety of your data, which might not unlock properly and could still get lost.

Test your backups

Your backups should be the first fallback in emergencies. You must test your backups with a variety of workloads on a routine basis to ensure they work as planned.

Although it takes time, hackers often deploy malware targeting your backup systems to wipe them out before they fully deploy the CryptoLocker virus. Remember that such hackers are engineers of equal or better skill than your IT staff, so be wary of underestimating their abilities.

In the event of a disaster, your secondary site can save you. However, if your secondary site is comprised of replicated data, you have no guarantee that it's not just as compromised as your primary site. You can use technologies such as Malwarebytes Anti-Malware and Bitdefender Antivirus to scan both backups and replication for malware and cryptoviruses, but be sure to install and test them first.

The airgap concept

Online backups are valuable, but they can lull you into a false sense of security. You might think that you can simply restore your data from a backup and move on, but that's not always an option.

Online backups are valuable, but they can lull you into a false sense of security.

Online backup systems are fallible, but the airgap concept can help you mitigate the risk. Airgapping your backups requires you to take copies of your backups annually -- or, better yet, quarterly -- and spin them onto tape, which you can physically lock away in a cabinet. This provides an offline backup that you can use in the event your backup systems are compromised.

You also need to consider a few key factors, such as what you need to back up, whether it's everything you have or whether storage constraints require you to select key folders and data. The more selective you are, the more you might struggle in the event of a major restoration.

It's not a perfect system. Several months' worth of data might be a huge amount to lose, especially if storage constraints require you to be picky, but it's better than losing everything.

Think things through

In a moment of a crisis, you might not take the time to research the specific CryptoLocker virus you're up against or fully engage with the proper authorities before starting your recovery efforts. If you've been careful -- if you have airgapped backups or you have an uncompromised online backup system -- your first reaction might be to simply delete the affected VMs and restore them from your backups.

You might not consider alternate methods for unlocking that version of the CryptoLocker virus. If you delete an affected VM that you could unlock, you've just created more work for yourself.

When a cryptovirus strikes, move the affected VMs to any spare storage you have. You might even consider taking a trip to a local electronics store for USB drives or using local drives in your hosts. That way, in the event that you can unlock those VMs, you haven't lost the data.

You can also use standby infrastructure servers in a cold state. Domain name system, Dynamic Host Configuration Protocol and Active Directory servers, which you would normally power on only once a quarter, provide a virtual airgap for your key infrastructure roles at the cost of the storage to host them. It's not ideal, but it works as a last resort.

Dig Deeper on Data center architecture for VMware ESX and ESXi