Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Improving protection against ransomware

Contributors netapp-driley netapp-rlithman

Ransomware attacks can cost a business time, resources, and reputation. BlueXP enables you to implement two NetApp solutions for ransomware: Protection from common ransomware file extensions and Autonomous Ransomware Protection (ARP). These solutions provide effective tools for visibility, detection, and remediation.

Protection from common ransomware file extensions

Available through BlueXP, the Ransomware Protection setting allows you to utilize the ONTAP FPolicy functionality to guard against common ransomware file extension types.

Steps
  1. On the Canvas page, double-click the name of the system you configure to ransomware protection.

  2. On the Overview tab, click the Features panel and then click the pencil icon next to Ransomware Protection.

    A screenshot that shows the Ransomware Protection setting under the Features panel available in the top right of the Overview page when viewing a working environment.
  3. Implement the NetApp solution for ransomware:

    1. Click Activate Snapshot Policy, if you have volumes that do not have a Snapshot policy enabled.

      NetApp Snapshot technology provides the industry’s best solution for ransomware remediation. The key to a successful recovery is restoring from uninfected backups. Snapshot copies are read-only, which prevents ransomware corruption. They can also provide the granularity to create images of a single file copy or a complete disaster recovery solution.

    2. Click Activate FPolicy to enable ONTAP's FPolicy solution, which can block file operations based on a file's extension.

      This preventative solution improves protection from ransomware attacks by blocking common ransomware file types.

      The default FPolicy scope blocks files that have the following extensions:

      micro, encrypted, locked, crypto, crypt, crinf, r5a, XRNT, XTBL, R16M01D05, pzdc, good, LOL!, OMG!, RDM, RRK, encryptedRS, crjoker, EnCiPhErEd, LeChiffre

      Tip BlueXP creates this scope when you activate FPolicy on Cloud Volumes ONTAP. The list is based on common ransomware file types. You can customize the blocked file extensions by using the vserver fpolicy policy scope commands from the Cloud Volumes ONTAP CLI.

      A screenshot that shows the Ransomware Protection page that is available from within a working environment. The screen shows the number of volumes without a Snapshot Policy and the ability to block ransomware file extensions.

Autonomous Ransomware Protection

Cloud Volumes ONTAP supports the Autonomous Ransomware Protection (ARP) feature, which performs analyses on workloads to proactively detect and warn about abnormal activity that might indicate a ransomware attack.

Separate from the file extension protections provided through the ransomware protection setting, the ARP feature uses workload analysis to alert the user on potential attacks based on detected “abnormal activity”. Both the ransomware protection setting and the ARP feature can be used in conjunction for comprehensive ransomware protection.

The ARP feature is available for use with BYOL licenses only (1 to 36 month terms) on both node-based and capacity-based licensing models. You must contact your NetApp sales representative to purchase a new, separate, add-on license for use with the ARP feature in Cloud Volumes ONTAP.

The ARP license is considered a "floating" license, which means it is not bound to a single Cloud Volumes ONTAP instance and can be applied to multiple Cloud Volumes ONTAP environments.

Note The usage of the ARP feature with node-based Cloud Volumes ONTAP licenses is not currently reflected in Digital Wallet. The ability to view node-based ARP usage will be available under Digital Wallet in a future release.

Upon purchase of an add-on license and adding it to the Digital Wallet, you can enable ARP on a per volume basis with Cloud Volumes ONTAP. Charging for ARP is metered at a volume level, according to the total provisioned capacity of volumes with the ARP feature enabled. The minimum license capacity is 1TB. However, there is no minimum capacity charging for the ARP feature.

ARP enabled volumes have a designated state of "Learning mode" or "Active". Any volume with an ARP state of "Disabled" is excluded from charging. For example, a Cloud Volumes ONTAP environment with 30 TiB of provisioned capacity can elect to have only a subset of 15 TiB volumes with ARP enabled.

Configuration of ARP for volumes is performed through ONTAP System Manager and ONTAP CLI.

For more information on how to enable ARP with ONTAP System Manager and CLI, see Enable Autonomous Ransomware Protection.

Screenshot shows the add-on license for Autonomous Ransomware Protection.
Note Support is not available for the use of licensed features without a license.