Automated Ransomware Recovery

How to recover your workload with Arpio following a Ransomware attack

When recovering from a ransomware attack, it is important to quickly quarantine resources that may be compromised, and identify the resources that might be infected. Automated Ransomware Recovery is an Arpio Enterprise feature that allows you to quarantine and unquarantine resources when you failover your environment. In this article, we will walk how Arpio can help with the process of recovering from a ransomware attack safely, and use Arpio to quickly scan for malware in your recovered workload. 

Enabling Ransomware Recovery

Enabling ransomware recovery is as simple as checking the box Enable Ransomware Recovery in the Failover dialog.

Screenshot 2023-12-21 at 2.19.21 PM

Arpio will perform a failover of all resources, including their data, and configuration. For resources that can be quarantined (currently EC2 instances) Arpio will replace the usual security groups with a security group (called Arpio Quarantine) that restricts outbound access from the EC2 instance. This prevents potentially compromised resources from impacting other parts of your application. Arpio also creates a second security group called Arpio Quarantine forensics, which gives access to the quarantined instances, but is insulated from them.  

If you’ve enabled Ransomware recovery, but elected not to run the GuardDuty malware scan, once the failover is complete, quarantined resources will show a status of QUARANTINED instead of OK.

GuardDuty Malware Scan

If chose the option to run a GuardDuty Malware Scan during your ransomware recovery, resources will still be quarantined.  In addition, Arpio will initiate an AWS GuardDuty malware scan on each quarantined resource.  The malware scan will search files on storage attached to the resource for patterns of infection.

Once failover is complete, instead of the QUARANTINED status, the resources will show one of these statuses:

  • CLEAN - the GuardDuty scan found no problems with the resource
  • INFECTED - GuardDuty found suspicious or known malware on the storage attached to the resource.
  • SCAN FAILED - GuardDuty was unable to complete a malware scan on the resource.  

Screenshot 2023-12-21 at 2.24.07 PM

Investigating quarantined resources

The Arpio Quarantine forensics security group in your recovery environment is for your forensics hosts to use to have network access to the quarantined instances.  It allows you to give access to all of those hosts to each machine at once without having to modify the security group on each of those isolated instances. It also allows Arpio to manage the security group list on the quarantined instances itself, without any additions that might otherwise be used during investigations, such that the original set of groups can be reapplied faithfully upon unquarantine.

To use it, add this security group to your forensics hosts as an additional security group.  

Researching malware scan results

Once the GuardDuty scan has completed, Arpio will generate an Issue in the Arpio Console for each infected EC2 instance that has been discovered. This Issue will include a list of malware types discovered, as well as a sublist of each file that is infected with each malware type. For more details,  you can check the GuardDuty console.

For details on an infected instance:

  • Find the instance ID in the recovery region and account
  • Open the GuardDuty AWS console in that region and account.
  • Click “Malware scans” on the left navigation menu
  • Find the most recent scan for your EC2 instance ID and select that row. For infected instances, there is a link in the upper right to click to see malware findings.   Click that link, which will show you a list of findings. 
  • Click the row (not the checkbox) of the finding you are interested in, and AWS will provide details about why it determined the EC2 instance was infected, including any potentially harmful files it found.

For instances where the scan was skipped, GuardDuty console provides a link to Cloudwatch. Click the link and run the suggested Logs Insights query, which will provide log entries with the reasons for skipping the scan.

Unquarantine Resources

Once you are satisfied that one or more resources are safe to unquarantine, you can click the UNQUARANTINE button to open the unquarantine dialog. In this dialog you can select one, many, or all resources. Then, click UNQUARANTINE in the dialog, and Arpio will modify those resources so that their network access is restored.

Infected or unscanned resources

If a malware scan indicated one of the selected resources was infected with malware or had a failed scan, you can still release these resources from quarantine. To do so, you will be asked to verify that you really want to unquarantine them by typing “I understand” before Arpio will release the resource from quarantine.

Screenshot 2023-12-21 at 2.36.07 PM

Failback or Conclude Recovery

Once there are no more quarantined resources, Arpio will show the FAILBACK button again, and you will be able to failback. You can also CONCLUDE RECOVERY anytime.

If EC2 instances are still using either of the Arpio quarantine security groups when you conclude a recovery, those groups will not be torn down.