Skip to main content
BlueXP ransomware protection

Respond to a detected ransomware alert

Contributors amgrissino

If BlueXP ransomware protection detects a possible attack, an alert appears on the BlueXP ransomware protection Dashboard and in the BlueXP Notifications in the upper right indicating a potential ransomware attack. The service also immediately initiates taking a Snapshot copy. At this point, you should look at the potential risk in the BlueXP ransomware protection Alerts tab.

You can dismiss false positives or decide to recover your data immediately.

Tip If you decide to dismiss the alert, the service will learn this behavior and associate it with normal operations and not initiate an alert on such a behavior again.

To begin to recover your data, mark the alert as ready for recovery so that your storage administrator can begin the recovery process.

Each alert could have multiple incidents on different volumes with different statuses, so be sure to look at all incidents.

The service provides information called evidence about what caused the alert to be issued, such as the following:

  • File extensions were created or changed

  • File creation occurred and increased by a listed percentage

  • File deletion occurred and increased by a listed percentage

An alert is based on the following types of behavior:

  • Potential attack: An alert occurs when Autonomous Ransomware Protection detects a new extension and the occurrence is repeated more than 20 times in the last 24 hours (default behavior).

  • Warning: A warning occurs based on the following behaviors:

    • Detection of a new extension has not been identified before and the same behavior does not repeat enough times to declare it as an attack.

    • High entropy is observed.

    • File read/write/rename/delete operations incurred a 100% surge in activity beyond the baseline.

Evidence is based on information from Autonomous Ransomware Protection in ONTAP. For details, refer to Autonomous Ransomware Protection overview.

An alert can have one of the following statuses:

  • New

  • Inactive

An alert incident is categorized in one of the following states:

  • New: All incidents are marked "new" when they are first identified.

  • Dismissed: If you suspect that the activity is not a ransomware attack, you can change the status to "Dismissed."

    Caution After you dismiss an attack, you cannot change this back. If you dismiss a workload, all Snapshot copies taken automatically in response to the potential ransomware attack will be permanently deleted.
  • Dismissing: The incident is in the process of being dismissed.

  • Resolved: The incident has been mitigated.

View alerts

You can access alerts from BlueXP ransomware protection Dashboard or from the Alerts tab.

Steps
  1. In the BlueXP ransomware protection Dashboard, review the Alerts pane.

  2. Select View all under one of the statues.

  3. Click on an alert to review all incidents on each volume for each alert.

  4. To review additional alerts, click on Alert in the breadcrumbs at the upper left.

  5. Review the alerts on the Alerts page.

    Alerts page

  6. Continue:

Mark ransomware incidents as ready for recovery (after incidents are neutralized)

After you have mitigated the attack and are ready to recover workloads, you should communicate with your storage admin team that the data is ready for recovery so that they can start the recovery process.

Steps
  1. From the BlueXP ransomware protection menu, select Alerts.

    Alerts page

  2. In the Alerts page, select the alert.

  3. Review the incidents in the alert.

    Alert incidents page

  4. If you determine that the incidents are ready for recovery, select Mark restore needed.

  5. Confirm the action and select Mark restore needed.

  6. To initiate the workload recovery, select Recover workload in the message or select the Recovery tab.

Result

After the alert is marked for restore, the alert moves from the Alerts tab to the Recovery tab.

Dismiss incidents that are not potential attacks

After you review incidents, you need to determine whether the incidents are potential attacks. If not, they can be dismissed.

You can dismiss false positives or decide to recover your data immediately. If you decide to dismiss the alert, the service will learn this behavior and associate it with normal operations and not initiate an alert on such a behavior again.

If you dismiss a workload, all Snapshot copies taken automatically in response to the potential ransomware attack will be permanently deleted.

Caution If you dismiss an alert, you cannot change that status back to any other status and you cannot undo this change.
Steps
  1. From the BlueXP ransomware protection menu, select Alerts.

    Alerts page

  2. In the Alerts page, select the alert.

    Alert incidents page

  3. Select one or more incidents. Or, select all incidents by selecting the Incident ID box at the top left of the table.

  4. If you determine that the incident is not a threat, dismiss it as a false positive:

    • If you selected one incident, select the Actions … icon on the right, select Edit status.

    • If you selected multiple incidents, select the Edit status button above the table.

      Alert Edit Status page

  5. From the Edit status box, select the “Dismissed” status.

    Additional information about the workload and which Snapshot copies will be deleted appears.

  6. Select Save.

    The status on the incident or incidents changes to “Dismissed.”

View a list of impacted files

Before you restore an application workload at the file level, you can view a list of impacted files. You can access the Alerts page to download a list of impacted files. Then use the Recovery page to upload the list and choose which files to restore.

Steps

Use the Alerts page to retrieve the list of impacted files.

Tip If a volume has multiple alerts, you might need to download the CSV list of impacted files for each alert.
  1. From the BlueXP ransomware protection menu, select Alerts.

  2. On the Alerts page, sort the results by workload to show the alerts for the application workload that you want to restore.

  3. From the list of alerts for that workload, select an alert.

  4. For that alert, select a single incident.

    list of impacted files for a specific alert

  5. For that incident, select the download icon and download the list of impacted files in CSV format.