Automated Ransomware Recovery

How to recover your workload with Arpio following a Ransomware attack

When recovering from a ransomware attack, it is important to quickly quarantine resources that may be compromised. Automated Ransomware Recovery is an Arpio Enterprise feature that allows you to quarantine and unquarantine resources when you failover your environment. In this article, we will walk through the process of recovering from a ransomware attack with Arpio.

Enabling Ransomware Recovery

Enabling ransomware recovery is as simple as checking the box Enable Ransomware Recovery in the Failover dialog.

Arpio will perform a failover of all resources, including their data, and configuration. For resources that can be quarantined (currently EC2 instances) Arpio will replace the usual security groups with a security group (called Arpio Quarantine) that restricts outbound access from the EC2 instance. This prevents potentially compromised resources from impacting other parts of your application. Arpio also creates a second security group called Arpio Quarantine forensics, which gives access to the quarantined instances, but is insulated from them.  

Once the failover is complete, quarantined resources will show a status of QUARANTINED instead of OK.

Investigating quarantined resources

The Arpio Quarantine forensics security group in your recovery environment is for your forensics hosts to use to have network access to the quarantined instances.  It allows you to give access to all of those hosts to each machine at once without having to modify the security group on each of those isolated instances. It also allows Arpio to manage the security group list on the quarantined instances itself, without any additions that might otherwise be used during investigations, such that the original set of groups can be reapplied faithfully upon unquarantine.

To use it, add this security group to your forensics hosts as an additional security group.  

Unquarantine Resources

Once you are satisfied that one or more resources are safe to unquarantine, you can click the UNQUARANTINE button to open the Unquarantine dialog. In this dialog you can select one, many, or all resources. Then, click UNQUARANTINE in the dialog, and Arpio will modify those resources so that their network access is restored.

Failback or Conclude Recovery

Once there are no more quarantined resources, Arpio will show the FAILBACK button again, and you will be able to failback. You can also CONCLUDE RECOVERY anytime.

If EC2 instances are still using either of the Arpio quarantine security groups when you conclude a recovery, those groups will not be torn down.