Best practices: Manage ransomware threats on vSphere VMs
If a potential ransomware threat is detected during a vSphere backup, you can view the backup log to see which VM or VMs might have a potential threat. You can then sign in to each VM that has a potential threat to investigate whether it is infected with ransomware.
If VMs in the backup job are not infected with ransomware, clear the potential threat warning from the backup job. See Manage potential ransomware threats.
If one or more VMs in the backup job are infected with ransomware, we recommend the following:
-
Restore each infected VM from a backup that was created before the VM was infected with ransomware. During a restore, the Restore dialog box shows which safesets and VMs have potential ransomware threats. See Restore vSphere VMs.
If you deleted the infected VM from the vSphere environment before restoring it (as recommended in Step <paranum>), the restored VM replaces the deleted VM and you do not need to add the restored VM to a backup job. If you did not delete the infected VM from the vSphere environment, the restored VM will have a new name and will not be included in a backup job unless you add it.
-
Delete the backup (safeset) with one or more infected VMs from the vault so VMs with potential threats cannot be restored. When you delete a safeset, the Delete Backup dialog box shows which safesets have potential ransomware threats. See Delete specific backups from vaults.
-
Clear the potential threat warning from the backup job. See Manage potential ransomware threats.
If you do not clear the potential threat warning from a job, VMs in the backup job will not be scanned for ransomware in subsequent backups but will still be flagged as having a potential ransomware threat.
-
Synchronize the backup job with the vault. See Synchronize a job.