Skip to main content
BlueXP ransomware protection

Conduct a ransomware attack readiness drill in BlueXP ransomware protection

Contributors amgrissino netapp-ahibbard
PDFs

Run a ransomware attack readiness drill by simulating an attack on a new sample workload. Investigate the simulated attack and recover the workload. Use this feature to test alert notifications, response, and recovery. Run the drill as often as needed.

Tip Your real workload data is not impacted.

You can run readiness drills on NFS and CIFS (SMB) workloads.

Configure a ransomware attack readiness drill

Before you run a simulation, set up a drill on the Settings page. Access the Settings page from the Actions option in the top menu.

You will need to enter a user name and password for the following situations:

  • If user name or password changes occurred for the previously selected storage VM

  • If you select a different CIFS (SMB) storage VM

  • If you enter a different test workload name

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps

  1. From the BlueXP ransomware protection menu, select the Run readiness drill button at the top right.

    Dashboard page showing the Run readiness drill button

  2. In the Readiness drill card on the Settings page, select Configure.

    BlueXP displays the Configure readiness drill page.

    Configure readiness drill page

  3. Do the following:

    1. Select the BlueXP Connector that you want to use for the readiness drill.

    2. Select a test working environment.

    3. Select a test storage SVM.

    4. If you selected a CIFS (SMB) storage VM, User name and Password fields appear. Enter the user name and password for the storage VM.

    5. Enter the name of a new test workload to be created. Do not include dashes in the name.

  4. Select Save.

Tip You can edit the readiness drill configuration later using the Settings page.

Start a readiness drill

After you configure the readiness drill, you can start the drill.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

When you start the readiness drill, BlueXP ransomware protection skips the learning mode and starts the drill in active mode. The detection status of the workload is Active.

Tip A workload can have a ransomware detection Learning mode status when a detection policy is recently assigned and the service scans workloads.
Steps

  1. Do one of the following:

    • From the BlueXP ransomware protection menu, select the Run readiness drill button at the top right.

      Dashboard page showing the Run readiness drill button

    • OR, from the Settings page, in the Readiness drill card, select Start.

  2. If you already configured the readiness drill, after selecting Start, the readiness drill begins.

Note After the drill has started, you cannot edit the readiness drill configuration. You can reset it to start again.

Respond to a readiness drill alert

Test your readiness by responding to a readiness drill alert.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps

  1. From the BlueXP ransomware protection menu, select Alerts.

    BlueXP displays the Alerts page. In the Alert ID column, you see "Readiness drill" next to the ID.

    Alerts page showing the readiness drill alert

  2. Select the alert with the "Readiness drill" indication. A list of incident alerts appears on the Alerts details page.

    Alerts details page showing the readiness drill alert

  3. Review the alert incidents.

  4. Select an alert incident.

    Incident page showing the readiness drill alert

Here are some things to look for:

  • Look at the Potential attack Type.

    If the Type indicates that a user is suspected of malicious activity, review the user name. You might want to investigate the user more in Data Infrastructure Insights Workload Security by selecting Investigate in Workload security.

  • Look at the file activity and suspected processes:

    • Look at the incoming detected data compared to the expected data.

    • Look at the creation rate of files that is detected compared to the expected rate.

    • Look at the file renaming rate that is detected compared to the expected rate.

    • Look at the deletion rate compared to the expected rate.

  • Look at the list of impacted files. Look at the extensions that might be causing the attack.

  • Determine the impact and breadth of the attack by reviewing the number of impacted files and directories.

Restore the test workload

After reviewing the readiness drill alert, restore the test workload if needed.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps

  1. Return to the Alert details page.

  2. If the test workload should be restored, do the following:

    • Select Mark restore needed.

    • Review the confirmation, and select Mark restore needed in the confirmation box.

      • From the BlueXP ransomware protection menu, select Recovery.

      • Select the test workload marked with "Readiness drill" that you want to restore.

      • Select Restore.

      • In the Restore page, provide information for the restore:

    • Select the source snapshot copy.

    • Select the destination volume.

  3. In the restore Review page, select Restore.

    BlueXP displays the status of the Readiness drill restore as "In progress" on the Recovery page.

    After the restore is complete, BlueXP changes the status of the workload to Restored.

  4. Review the restored workload.

Tip For details about the restore process, see Recover from a ransomware attack (after incidents are neutralized).

Change the Alerts status after the readiness drill

After reviewing the readiness drill alert and restoring the workload, change the alert status if needed.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps

  1. Return to the Alert details page.

  2. Select the alert again.

  3. Indicate the status by selecting Edit status and change the status to one of the following:

    • Dismissed: If you suspect that the activity is not a ransomware attack, change the status to Dismissed.

      Important After you dismiss an attack, you cannot chanage it back. If you dismiss a workload, all snapshot copies taken automatically in response to the potential ransomware attack will be permanently deleted. If you dismiss the alert, the readiness drill is considered complete.

    • Resolved: The incident has been mitigated.

Review reports on the readiness drill

After the readiness drill is complete, you might want to review and save a report on the drill.

Required BlueXP role
Organization admin, Folder or project admin, Ransomware protection admin, or Ransomware viewer role. Learn about BlueXP access roles for all services.

Steps

  1. From the BlueXP ransomware protection menu, select Reports.

    Reports page showing the readiness drill report

  2. Select Readiness drills and Download to download the readiness drill report.