Prevent ransomware spread with ONTAP automatic ransomware protection

Everyone knows that a ransomware attack is one of the top cybersecurity threats an organization can face. The potential damage is not just the direct associated recovery costs (which increased 241% between 2019 and 2020, according to Sophos); it’s also the impact on the company’s reputation and brand. Fortunately, NetApp has been helping our customers protect themselves from ransomware for years, in both detection and remediation. I covered this subject in my blog series, Fighting Ransomware. Today, our already strong protection capabilities are taking an additional leap forward with the announcement of the new anti-ransomware automatic detection feature in the latest release of NetApp^® ONTAP^® data management software.

Ransomware protection requires more than just detection, which is why ONTAP includes comprehensive recovery capabilities like a logical air gap and many others. You can learn about these remediation features in Fighting Ransomware, Part Six. In this blog, I’ll focus on detection and on recent innovations in ONTAP.

It’s important for ransomware detection to occur as early as possible so that you can prevent its spread and avoid costly downtime. However, an effective ransomware detection strategy should include more than a single layer of protection. A good analogy is the safety features of a vehicle for protection in a crash. You wouldn’t want to rely on a single feature, such as a seatbelt, to protect you in an accident. Air bags, antilock brakes, and even forward-collision warning are additional safety features that can result in a much better outcome. Ransomware protection should be viewed in the same way.

For example, NetApp FPolicy in combination with NetApp Cloud Insights, or similar capabilities from our partners, do an excellent job of detecting ransomware via user behavioral analytics (UBA). They look for potential ransomware attacks from the aspect of an individual user’s behavior. Hijacking a single user account is just one avenue a hacker might take when launching a ransomware attack; malicious actors are constantly evolving their attack techniques.

NetApp Active IQ^® and Active IQ Unified Manager also provide additional layers of detection for ransomware. Active IQ checks ONTAP systems for adherence to NetApp configuration best practices like enabling FPolicy. Active IQ Unified Manager generates alerts for abnormal growth of NetApp Snapshot™ copies or storage efficiency loss, which can indicate potential ransomware attacks.

This is where the new anti-ransomware feature in the latest release of ONTAP comes into play. It leverages built-in on-box machine learning (ML) that looks at volume workload activity plus data entropy to automatically detect ransomware. It keeps an eye out for activity that is different from UBA, so it may detect attacks that UBA does not. 

ONTAP anti-ransomware protection is provided as part of the Security and Compliance software bundle. Customers who already have the bundle only need to upgrade to the latest ONTAP version (9.10.1) to take advantage of the feature. It’s configurable via the ONTAP built-in management interface, System Manager, and is enabled on a per-volume basis.

The anti-ransomware feature starts off in learning mode. NetApp recommends a period of at least 30 days, so that the ML gets a chance to understand the typical workloads on the NAS volumes. Once anti-ransomware is put into active mode, it starts looking for the abnormal volume activity that might potentially be ransomware. 

If abnormal activity is detected, an automatic Snapshot copy is immediately taken, which  provides a restoration point as close as possible to the file infection. Simultaneously, an automatic alert is generated that allows administrators to see the abnormal file activity so that they can determine whether the activity is indeed malicious and take appropriate action. Or, if the activity was an expected workload, they can easily mark it as a false positive; the anti-ransomware ML notes the change in workload and no longer flags it as a potential attack. In addition, the feature does not disrupt I/O in any way. Instead, it provides administrators with native analytics, insights, and data recovery capabilities for unprecedented on-box ransomware detection. The anti-ransomware feature makes it easier than ever to enable automatic ransomware detection for your NAS workloads in ONTAP.

Two things are clear: Ransomware is a continuous threat that shows no signs of slowing down, and it must be dealt with in a holistic way. The methods that hackers use are only going to evolve in the future. That’s why NetApp is constantly evolving our ransomware protection capabilities  too! By adding additional layers of detection, you can be better prepared when a ransomware attack strikes. NetApp delivers a leading range of detection capabilities, such as the new on-box anti-ransomware machine learning with automatic alerting, in addition to automatic Snapshot copies, NetApp FPolicy, Cloud Insights, Active IQ and Active IQ Unified Manager.

Remember too that ransomware detection is just one part of an overall ransomware protection strategy that also includes recovery. ONTAP Snapshot and recovery capabilities, along with SnapLock^®, our logical air gap solution, are key to avoiding costly downtime, preventing damage to brand reputation, and avoiding paying the ransom.

You can learn more about the NetApp portfolio in the blog Power Your Ransomware Protection with NetApp.

For more detailed information about the comprehensive ransomware capabilities in ONTAP, check out my Fighting Ransomware blog series.