Learn about BlueXP ransomware protection

Ransomware attacks can cost a business time, resources, and reputation. The BlueXP ransomware protection service enables you to view relevant information about cybersecurity and assess how resilient your organization is to a cyber attack. It also provides you with a list of alerts and remediations for making your data more secure.

Tip The BlueXP ransomware protection service is currently a Beta offering.


BlueXP ransomware protection provides a single point of visibility and control to manage and to refine data security across various working environments and infrastructure layers to better respond to threats as they occur. It currently provides several features that can help you with your cyberstorage protection efforts. Current features identify when:

  • Volumes in your working environments aren’t being protected by making periodic Snapshot copies.

  • Volumes in your working environments aren’t being protected by creating backups to the cloud using BlueXP backup and recovery.

  • Volumes in your working environments are being protected from modification and deletion on WORM storage by using ONTAP SnapLock technology. Learn more about SnapLock.

  • Data in your working environments and data sources aren’t being scanned using BlueXP classification to identify compliance and privacy concerns, and find optimization opportunities.

    This capability is also important from a ransomware protection perspective because it allows you to better understand where your important (sensitive, business critical) data is located so you can make sure you’re focusing your protection effort there.

  • Your most important categories of data aren’t being backed up in case you need to recover because of a ransomware attack.

  • An abnormal increase in the percentage of encrypted files in a working environment or data source has occurred.

    This can be an indicator that a ransomware attack has commenced on your network.

  • Sensitive data is found in files in a working environment or data source and the access permissions level is too high.

  • Users have been added to your Active Directory Domain Administrator Groups.

  • The ONTAP software version on your clusters is old and should be updated to provide the best protection and security features, and the newest features.

  • NAS file system auditing is not enabled on your ONTAP systems.

    Enabling CIFS auditing generates auditing events for your system admins that track information such as folder permission changes, failed attempts to read or write files, and when files have been created, modified, or deleted.

  • On-box anti-ransomware features are not enabled on your ONTAP systems.

    The ONTAP anti-ransomware features proactively detect and warn about abnormal activity that might indicate a ransomware attack.

  • When ONTAP anti-ransomware is enabled on your systems, the number of type of ransomware incidents will appear as alerts.

  • The number of high, medium, and low security vulnerabilities that the BlueXP digital advisor tool has found on your ONTAP clusters.

    You can view the vulnerability and then follow the recommended action to resolve the issue.

When using Cloud Volumes ONTAP systems, there are some additional ransomware protections you can deploy directly from the working environment. See how to add additional protection against ransomware.

Supported working environments and data sources

BlueXP classification is a prerequisite to using the BlueXP ransomware protection service. After BlueXP classification is installed and activated, you can use BlueXP ransomware protection to see how resilient your data is to a cyber attack on the following types of working environments and data sources:

Working environments:

  • Cloud Volumes ONTAP (deployed in AWS, Azure, or GCP)

  • On-premises ONTAP clusters

  • Azure NetApp Files

  • Amazon FSx for ONTAP

  • Amazon S3

Data sources:

  • Non-NetApp file shares

  • Object storage (that uses S3 protocol)

  • Databases (Amazon RDS, MongoDB, MySQL, Oracle, PostgreSQL, SAP HANA, SQL Server)

  • OneDrive accounts

  • SharePoint Online and On-Premises accounts

  • Google Drive accounts

BlueXP ransomware protection also monitors your global Active Directory configuration if you have configured this in BlueXP classification.

How BlueXP ransomware protection works

At a high-level, BlueXP ransomware protection works like this:

  1. BlueXP ransomware protection gathers information from your storage systems, BlueXP classification, BlueXP backup and recovery, and from other BlueXP and NetApp resources, to populate the BlueXP ransomware protection Dashboard.

  2. You use the BlueXP ransomware protection dashboard to get an overview of how well protected your systems are.

  3. You use the provided reporting tools to help in your cyberstorage protection efforts.

  4. After an attack, you use the BlueXP ransomware protection Recovery Dashboard to restore data to a safe state.


There is no separate cost for the BlueXP ransomware protection service during the Beta.