Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Improving protection against ransomware

Contributors netapp-driley netapp-manini netapp-rlithman

Ransomware attacks can cost a business time, resources, and reputation. BlueXP enables you to implement two NetApp solutions for ransomware: Protection from common ransomware file extensions and Autonomous Ransomware Protection (ARP). These solutions provide effective tools for visibility, detection, and remediation.

Protection from common ransomware file extensions

Available through BlueXP, the Ransomware Protection setting allows you to utilize the ONTAP FPolicy functionality to guard against common ransomware file extension types.

Steps
  1. On the Canvas page, double-click the name of the system you configure to ransomware protection.

  2. On the Overview tab, click the Features panel and then click the pencil icon next to Ransomware Protection.

    A screenshot that shows the Ransomware Protection setting under the Features panel available in the top right of the Overview page when viewing a working environment.
  3. Implement the NetApp solution for ransomware:

    1. Click Activate Snapshot Policy, if you have volumes that do not have a Snapshot policy enabled.

      NetApp Snapshot technology provides the industry’s best solution for ransomware remediation. The key to a successful recovery is restoring from uninfected backups. Snapshot copies are read-only, which prevents ransomware corruption. They can also provide the granularity to create images of a single file copy or a complete disaster recovery solution.

    2. Click Activate FPolicy to enable ONTAP's FPolicy solution, which can block file operations based on a file's extension.

      This preventative solution improves protection from ransomware attacks by blocking common ransomware file types.

      The default FPolicy scope blocks files that have the following extensions:

      micro, encrypted, locked, crypto, crypt, crinf, r5a, XRNT, XTBL, R16M01D05, pzdc, good, LOL!, OMG!, RDM, RRK, encryptedRS, crjoker, EnCiPhErEd, LeChiffre

      Tip BlueXP creates this scope when you activate FPolicy on Cloud Volumes ONTAP. The list is based on common ransomware file types. You can customize the blocked file extensions by using the vserver fpolicy policy scope commands from the Cloud Volumes ONTAP CLI.

      A screenshot that shows the Ransomware Protection page that is available from within a working environment. The screen shows the number of volumes without a Snapshot Policy and the ability to block ransomware file extensions.

Autonomous Ransomware Protection

Cloud Volumes ONTAP supports the Autonomous Ransomware Protection (ARP) feature, which performs analyses on workloads to proactively detect and warn about abnormal activity that might indicate a ransomware attack.

Separate from the file extension protections provided through the ransomware protection setting, the ARP feature uses workload analysis to alert the user on potential attacks based on detected “abnormal activity”. Both the ransomware protection setting and the ARP feature can be used in conjunction for comprehensive ransomware protection.

The ARP feature is available for use with bring your own license (BYOL) and marketplace subscriptions for your licenses at no additional cost.

ARP-enabled volumes have a designated state of "Learning mode" or "Active".

Configuration of ARP for volumes is performed through ONTAP System Manager and ONTAP CLI.

For more information on how to enable ARP with ONTAP System Manager and the ONTAP CLI, refer to Enable Autonomous Ransomware Protection.

Screenshot shows the add-on license for Autonomous Ransomware Protection.