Skip to main content
BlueXP ransomware protection

Recover from a ransomware attack (after incidents are neutralized)

Contributors amgrissino
PDFs

After workloads have been marked "Ready for recovery", BlueXP ransomware protection recommends a recovery point actual (RPA) and orchestrates the workflow for a crash-resistant recovery.

View workloads that are ready to be restored

Review the workloads that are in the "Restore needed" recovery status.

Steps

  1. Do one of the following:

    • From the Dashboard, review the "Restore needed" totals in the Alerts pane and select View all.

    • From the menu, select Recovery.

  2. Review the workload information in the Recovery page.

    Recovery page

Recover a workload

Using BlueXP ransomware protection, the storage administrator can determine how best to recover workloads either from the recommended restore point or their preferred restore point.

The security storage admin can recover data at different levels:

  • Recovery all volumes

  • Recover an application at the volume level or file and folder level.

  • Recover a file share at the volume level, directory, or file/folder level.

  • Recover from a datastore at a VM level.

The process differs slightly depending on the workload type.

Steps

  1. From the BlueXP ransomware protection menu, select Recovery.

  2. Review the workload information in the Recovery page.

  3. Select a workload that is in the “Restore needed” state.

  4. To restore, select Restore.

  5. Restore scope: Select the type of restore you want to complete:

    • All volumes

    • By volume

    • By file: You can specify a folder or single files to restore.

      Tip You can select up to 100 files or a single folder.

  6. Continue with one of the following procedures depending on whether you chose application, volume, or file.

Restore all volumes

  1. On the Restore page, in the Restore scope, select All volumes.

    Restore by all volumes page

  2. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip BlueXP ransomware protection identifies the best restore point as the latest backup just before the incident and shows a “Safest for all volumes" indication. This means that all volumes will be restored to a copy prior to the first attack on the first volume detected.

  3. Destination: Select the down arrow next to Destination to see details.

    1. Select the working environment.

    2. Select the Storage VM.

    3. Select the aggregate.

    4. Change the volume prefix that will be prepended to all new volumes.

      Tip The new volume name appears as prefix + original volume name + backup name + backup date.

  4. Select Save.

  5. Select Next.

  6. Review your selections.

  7. Select Restore.

  8. From the top menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore an application workload at the volume level

  1. On the Restore page, in the Restore scope, select By volume.

    Restore by volume page

  2. On the list of volumes, select the volume you want to restore.

  3. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip BlueXP ransomware protection identifies the best restore point as the latest backup just before the incident and shows a “Recommended” indication.

  4. Destination: Select the down arrow next to Destination to see details.

    1. Select the working environment.

    2. Select the Storage VM.

    3. Select the aggregate.

    4. Review the new volume name.

      Tip The new volume name appears as the original volume name + backup name + backup date.

  5. Select Save.

  6. Select Next.

  7. Review your selections.

  8. Select Restore.

  9. From the top menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore an application workload at the file level

  1. On the Restore page, in the Restore scope, select By file.

  2. On the list of volumes, select the volume you want to restore.

  3. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip BlueXP ransomware protection identifies the best restore point as the latest backup just before the incident and shows a “Recommended” indication.

    2. Select up to 100 files or a single folder to restore.

  4. Destination: Select the down arrow next to Destination to see details.

    1. Choose where to restore the data: original source location or an alternate location that you can specify.

      Tip While the original files or directory will be overwritten by the restored data, the original file and folder names will remain the same unless you specify new names.

    2. Select the working environment.

    3. Select the Storage VM.

    4. Optionally, enter the path.

      Tip If you don't specify a path for the restore, the files will be restored to a new volume at the top-level directory.

    5. Select whether you want the names of the restored files or directory to be the same names as the current location or different names.

  5. Select Save.

  6. Select Next.

  7. Review your selections.

  8. Select Restore.

  9. From the top menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore a file share or datastore at the volume or file level

  1. After selecting a file share or datastore to restore, on the Restore page, in the Restore scope, select By volume or By file.

    Recovery page showing file share recovery

  2. On the list of volumes, select the volume you want to restore.

  3. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip BlueXP ransomware protection identifies the best restore point as the latest backup just before the incident and shows a “Recommended” indication.

  4. Destination: Select the down arrow next to Destination to see details.

    1. Choose where to restore the data: original source location or an alternate location that you can specify.

      Tip While the original files or directory will be overwritten by the restored data, the original file and folder names will remain the same unless you specify new names.

    2. Select the working environment.

    3. Select the Storage VM.

    4. Optionally, enter the path.

      Tip If you don't specify a path for the restore, the files will be restored to a new volume at the top-level directory.

  5. Select Save.

  6. Review your selections.

  7. Select Restore.

  8. From the menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore a VM file share at the VM level

On the Recovery page after you selected a VM to restore, continue with these steps.

  1. Source: Select the down arrow next to Source to see details.

    Recovery page showing a VM being restored

  2. Select the restore point that you want to use to restore the data.

  3. Destination: To original location.

  4. Select Next.

  5. Review your selections.

  6. Select Restore.

  7. From the menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.