‘You can run your production workloads in the public cloud, while your primary infrastructure is being fully recovered. It’s all automated. You don’t have to think about ransomware recovery through the lens of just storage appliances,’ VMware President Sumit Dhawan tells the crowd at VMware Explore.
Fileless ransomware attacks that hide in application memory to avoid detection are part of a growing family of malware that may have met its match with VMware.
VMware President Sumit Dhawan took to the VMware Explore stage to tell attendees that they no longer had to think about ransomware recovery only from the perspective of storage appliances.
“Today we are extending it by giving you the ability to have options for public cloud,” he said. “And you can run your production workloads in the public cloud, while your primary infrastructure is being fully recovered. It’s all automated. You don’t have to think about ransomware recovery through the lens of just storage appliances. This is an ability that is completely unique in the market.”
The move drew immediate praise from partners at the event, which is being held this week in Las Vegas.
“A lot of traditional ransomware solutions are based on an assumption that they are file-based attacks,” said Chris Woodin, vice president of solutions and alliances at Softchoice, the $2.2 billion solution provider powerhouse. “Hackers have gotten around that. Ransomware attacks are occurring in a fileless attack vector, and VMware’s announcement around ransomware recovery overcomes this new vector and defending against these fileless attacks.”
VMware CEO Raghu Raghuram told CRN in an interview ahead of VMware Explore that VMware is the only company that can handle an entire ransomware event through to recovery.
“The reason we were able to do that is we can continuously protect and detect these attacks, but also recover the partner in the cloud, then through the magic of NSX we make sure they are in an isolated environment while we extrude the attack and recover the customers’ environment and then bring it back,” he said. “Nobody else can do this full move.”
[RELATED: VMware Explore’s 5 Big Reveals: Updates To Tanzu, vSAN, NSX+, Workspaces And An AI Deal With Nvidia]
Fileless malware variants such as Frodo and The Dark Avenger hide inside the memory of applications, according to threat researchers at Fortinet. The applications used are often essential to business processes and can have higher-level permissions. Once the malware has gained access it executes code from the memory, not from within an app. A second form of fileless attack uses the Windows registry to execute commands avoiding detection by having a Windows process carry out the attack.
Woodin said what is encouraging about using VMware to defend against these intrusions is that most users already have the infrastructure they need to run VMware ransomware recovery. That should make the overall environment tougher for criminals.
“It’s embedded in VMware infrastructure that hundreds of thousands of customers are using,” Woodin said. “Now they can easily start to adopt these new ransomware recovery solutions within the infrastructure, and the tools they already have.”
VMware said it uses behavioral analysis of powered-on virtual machines in cloud-based isolated recovery environments, which has been shown to resolve unplanned downtime as much as 75 percent faster.
Raghuram said VMware has been working on this since it acquired Datrium in 2020. The company was founded in 2012 and partnered with VMware in offering end-to-end disaster recovery for workloads in VMware Cloud on AWS. Datrium focused on reducing the cost and complexity of disaster recovery.
For Softchoice, which has to guard its data as well as its customers, fileless ransomware presents a unique challenge when it comes to protecting data that belongs to itself and its customers. He said this advancement from VMware is timely and welcome.
“We’ve been talking about ransomware for years,” Woodin said. “The reality is the way that ransomware attacks are occurring are completely different in 2023 than they were. VMware’s announcements are responding to the way these attacks are being launched today.”