Skip to main content
BlueXP ransomware protection

Simulate a ransomware attack by conducting a readiness drill

Contributors amgrissino
PDFs

Conduct a ransomware readiness drill by simulating a ransomware attack on a newly created, sample workload. Then, investigate the simulated attack and recover the sample workload. This feature helps you know that you are prepared in the event of an actual ransomware attack by testing alert notification, response, and recovery processes. You can run a ransomware readiness drill multiple times.

Tip Your real workload data will not be impacted.

Configure a ransomware attack readiness drill

Before you conduct a simulation, you need to configure a drill by using the Settings page. You can easily access the Settings page from the Actions option near the top menu.

Steps

  1. From the BlueXP ransomware protection menu, select the vertical Vertical Actions…​ option at the top right.

  2. From the drop-down menu, select Readiness drill or Settings.

  3. In the Readiness drill card on the Settings page, select Configure.

    The Configure readiness drill page appears.

    Configure readiness drill page

  4. Select the BlueXP Connector that you want to use for the readiness drill.

  5. Select a test working environment.

  6. Enter the name of a new test workload to be created.

  7. Select Save.

Tip You can edit the readiness drill configuration later using the Settings page.

Start a readiness drill

After you configure the readiness drill, you can start the drill.

When you start the readiness drill, BlueXP ransomware protection skips the learning mode and starts the drill in active mode. The detection status of the workload is Active.

Tip A workload can have a ransomware detection Learning mode status that indicates a ransomware detection policy was recently assigned to the workload and the service is scanning workloads. A detection status of Active indicates that a ransomware detection protection policy is assigned.
Steps

  1. Do one of the following:

    • From the BlueXP ransomware protection Settings menu, select Readiness drill and then in the Readiness drill page, select Start.

    • OR, from the Settings page, in the Readiness drill card, select Start.

  2. If you already configured the readiness drill, after selecting Start, the readiness drill begins.

Note After the drill has started, you cannot edit the readiness drill configuration. You can reset it to start again.

Respond to a readiness drill alert

Test your readiness by responding to a readiness drill alert.

Steps

  1. From the BlueXP ransomware protection menu, select Alerts.

    The Alerts page appears. In the Alert ID column, "Readiness drill" appears next to the ID.

    Alerts page showing the readiness drill alert

  2. Select the alert with the "Readiness drill" indication. A list of incident alerts appears on the Alerts details page.

    Alerts details page showing the readiness drill alert

  3. Review the alert incidents.

  4. Select an alert incident.

    Incident page showing the readiness drill alert

Here are some things to look for:

  • Look at the Potential attack Type.

    If the Type indicates that a user is suspected of malicious activity, review the user name. You might want to investigate the user more in Data Infrastructure Insights Workload Security by selecting Investigate in Workload security.

  • Look at the file activity and suspected processes:

    • Look at the incoming detected data compared to the expected data.

    • Look at the creation rate of files that is detected compared to the expected rate.

    • Look at the file renaming rate that is detected compared to the expected rate.

    • Look at the deletion rate compared to the expected rate.

  • Look at the list of impacted files. Look at the extensions that might be causing the attack.

  • Determine the impact and breadth of the attack by reviewing the number of impacted files and directories.

Restore the test workload

After you have reviewed the readiness drill alert, you might want to restore the test workload.

Steps

  1. Return to the Alert details page.

  2. If the test workload should be restored, do the following:

    • Select Mark restore needed.

    • Review the confirmation, and select Mark restore needed in the confirmation box.

      • From the BlueXP ransomware protection menu, select Recovery.

      • Select the test workload marked with "Readiness drill" that you want to restore.

      • Select Restore.

      • In the Restore page, provide information for the restore:

    • Select the source snapshot copy.

    • Select the destination volume.

  3. In the restore Review page, select Restore.

    The Recovery page shows the status of the Readiness drill restore as "In progress".

    After the restore is complete, the status of the workload changes to Restored.

  4. Review the restored workload.

Tip For details about the restore process, see Recover from a ransomware attack (after incidents are neutralized).

Change the Alerts status after the readiness drill

After you have reviewed the readiness drill alert and restored the workload, you might want change the status of the alert.

Steps

  1. Return to the Alert details page.

  2. Select the alert again.

  3. Indicate the status by selecting Edit status and change the status to one of the following:

    • Dismissed: If you suspect that the activity is not a ransomware attack, change the status to Dismissed.

      Important After you dismiss an attack, you cannot chanage it back. If you dismiss a workload, all snapshot copies taken automatically in response to the potential ransomware attack will be permanently deleted. If you dismiss the alert, the readiness drill is considered complete.

    • Resolved: The incident has been mitigated.

Review reports on the readiness drill

After the readiness drill is complete, you might want to review and save a report on the drill.

Steps

  1. From the BlueXP ransomware protection menu, select Reports.

    Reports page showing the readiness drill report

  2. Select Readiness drills and Download to download the readiness drill report.