Automated Ransomware Recovery

How to recover your workload with Arpio following a Ransomware attack

When recovering from a ransomware attack, it is important that malware in your recovered systems cannot activate and attack your recovered environment. Automated Ransomware Recovery is an Arpio Enterprise feature that allows you to quarantine and malware scan your systems during recovery. In this article, we will walk through how Arpio can help with the process of safely recovering from a ransomware attack, and use Arpio to quickly scan for malware in your recovered workload. 

Enabling Ransomware Recovery

Enabling ransomware recovery is as simple as checking the box Enable Ransomware Recovery in the Failover dialog.


Screenshot 2023-12-21 at 2.19.21 PM

Arpio will perform a complete failover of all resources including data and configuration. For resources that can be quarantined (currently EC2 instances) Arpio will replace the usual security groups with a special security group (called Arpio Quarantine) that restricts all outbound from and most inbound access to the resource. This prevents potentially compromised resources from impacting other parts of your environment.

Arpio also creates a second security group (called Arpio Quarantine Forensics) which gives limited access to the quarantined systems for your own forensic investigation purposes.  

If you’ve enabled Ransomware recovery, but elected not to run the GuardDuty malware scan, once the failover is complete, quarantined resources will show a status of QUARANTINED instead of OK.

GuardDuty Malware Scan

If you chose the option to run a GuardDuty Malware Scan during your ransomware recovery, Arpio will initiate an AWS GuardDuty malware scan on each quarantined resource.  The malware scan will search files on the resource for patterns of infection.

Once scanning is complete, instead of the QUARANTINED status, the resources will show one of these statuses:

  • CLEAN - the GuardDuty scan found no problems with the resource
  • INFECTED - GuardDuty found suspicious or known malware on the storage attached to the resource.
  • SCAN FAILED - GuardDuty was unable to complete a malware scan on the resource.  

Screenshot 2023-12-21 at 2.24.07 PM

Investigating quarantined resources

The Arpio Quarantine Forensics security group in your recovery environment allows you to have network access to the quarantined instances. To use it, simply add this security group to your forensics hosts as an additional security group.  

Researching malware scan results

Once the GuardDuty scan has completed, Arpio will generate an Issue in the Arpio Console for each infected EC2 instance that has been discovered. This Issue will include a list of malware types discovered, as well as a sublist of each file that is infected with each malware type. For more details,  you can check the GuardDuty console.

For details on an infected instance:

  • Find the instance ID in the recovery region and account
  • Open the GuardDuty AWS console in that region and account.
  • Click “Malware scans” on the left navigation menu
  • Find the most recent scan for your EC2 instance ID and select that row. For infected instances, there is a link in the upper right to click to see malware findings.   Click that link, which will show you a list of findings. 
  • Click the row (not the checkbox) of the finding you are interested in, and AWS will provide details about why it determined the EC2 instance was infected, including any potentially harmful files it found.

For instances where the scan was skipped, GuardDuty console provides a link to Cloudwatch. Click the link and run the suggested Logs Insights query, which will provide log entries with the reasons for skipping the scan.

Unquarantine Resources

Once you are satisfied that one or more resources are safe to unquarantine, you can click the UNQUARANTINE button to open the unquarantine dialog. In this dialog you can select one, many, or all resources. Then, click UNQUARANTINE in the dialog and Arpio will update those resources' security group settings so that their network access is restored.

Infected or unscanned resources

If a malware scan indicated one of the selected resources was infected with malware or had a failed scan, you can still release these resources from quarantine. To do so, you will be asked to verify that you want to unquarantine them by typing “I understand” before Arpio will release the resource from quarantine.

Screenshot 2023-12-21 at 2.36.07 PM

Failback or Conclude Recovery

Once there are no more quarantined resources, Arpio will show the FAILBACK button again, and you will be able to failback. You can also CONCLUDE RECOVERY anytime.

If EC2 instances are still using either of the Arpio quarantine security groups when you conclude a recovery, those groups will not be torn down.