Skip to main content
BlueXP ransomware protection

Handle detected ransomware alerts with BlueXP ransomware protection

Contributors amgrissino netapp-ahibbard

When BlueXP ransomware protection detects a possible attack, it shows an alert on the Dashboard and in the Notifications area. The service immediately takes a snapshot. Review the potential risk in the BlueXP ransomware protection Alerts tab.

If BlueXP ransomware protection detects a possible attack, a notification appears in the BlueXP Notifications and an email is sent to the configured address. The email includes information about the severity, the impacted workload, and a link to the alert in the BlueXP ransomware protection Alerts tab.

You can dismiss false positives or decide to recover your data immediately.

Tip If you dismiss the alert, the service learns this behavior, associates it with normal operations, and doesn't initiate an alert on it again.

To begin to recover your data, mark the alert as ready for recovery so that your storage administrator can begin the recovery process.

Each alert might include multiple incidents on different volumes and statuses. Review all incidents.

The service provides information called evidence about what caused the alert to be issued, such as the following:

  • File extensions were created or changed

  • File creation with a comparison of detected versus expected rates

  • File deletion with a comparison of detected versus expected rates

  • When encryption is high, without file extension changes

An alert is classified as one of the following:

  • Potential attack: An alert occurs when Autonomous Ransomware Protection detects a new extension and the occurrence is repeated more than 20 times in the last 24 hours (default behavior).

  • Warning: A warning occurs based on the following behaviors:

    • Detection of a new extension has not been identified before and the same behavior does not repeat enough times to declare it as an attack.

    • High entropy is observed.

    • File read, write, rename, or delete activity doubled compared to normal levels.

Note For SAN environments, warnings are only based on high entropy.

Evidence is based on information from Autonomous Ransomware Protection in ONTAP. For details, refer to Autonomous Ransomware Protection overview.

An alert can have one of the following statuses:

  • New

  • Inactive

An alert incident can have one of the following states:

  • New: All incidents are marked "new" when they are first identified.

  • Dismissed: If you suspect that the activity is not a ransomware attack, you can change the status to "Dismissed."

    Caution After you dismiss an attack, you cannot change this back. If you dismiss a workload, all snapshot copies taken automatically in response to the potential ransomware attack will be permanently deleted.
  • Dismissing: The incident is in the process of being dismissed.

  • Resolved: The incident has been fixed.

  • Auto Resolved: For low priority alerts, the incident is automatically resolved if there has been no action taken on it within five days.

Tip If you configured a security and event management system (SIEM) in BlueXP ransomware protection in the Settings page, the service sends alert details to your SIEM system.

View alerts

You can access alerts from the BlueXP ransomware protection Dashboard or from the Alerts tab.

Required BlueXP role
Organization admin, Folder or project admin, Ransomware protection admin, or Ransomware viewer role. Learn about BlueXP access roles for all services.

Steps
  1. In the BlueXP ransomware protection Dashboard, review the Alerts pane.

  2. Select View all under one of the statuses.

  3. Select an alert to review all incidents on each volume for each alert.

  4. To review additional alerts, select Alert in the breadcrumbs at the upper left.

  5. Review the alerts on the Alerts page.

    Alerts page

  6. Continue with one of the following:

Respond to an alert email

When BlueXP ransomware protection detects a potential attack, it sends an email notification to the subscribed users based on their subscription notification preferences. The email contains information about the alert, including the severity and resources impacted.

You can receive email notifications for BlueXP ransomware protection alerts. This feature helps you to stay informed about alerts, their severity, and resources impacted.

Tip To subscribe to email notifications, refer to Set email notification settings.
  1. In BlueXP ransomware protection, go to the Settings page.

  2. Under Notifications, locate the email notification settings.

  3. Enter the email address where you want to receive alerts.

  4. Save your changes.

You will now receive email notifications when new alerts are generated.

Required BlueXP role
Organization admin, Folder or project admin, Ransomware protection admin, or Ransomware viewer role. Learn about BlueXP access roles for all services.

Steps
  1. View the email.

  2. In the email, select View alert and log in to BlueXP ransomware protection.

    The Alerts page appears.

  3. Review all incidents on each volume for each alert.

  4. To review additional alerts, click on Alert in the breadcrumbs at the upper left.

  5. Continue with one of the following:

Detect malicious activity and anomalous user behavior

Looking at the Alerts tab, you can identify whether there is malicious activity.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

What details appear?
The details that appear depend on how the alert was triggered:

  • Triggered by the Autonomous Ransomware Protection feature in ONTAP. This detects malicious activity based on the behavior of the files in the volume.

  • Triggered by Data Infrastructure Insights Workload security. This requires a license for Data Infrastructure Insights Workload security and that you enable it in BlueXP ransomware protection. This feature detects anomalous user behavior in your storage workloads and enables you to block that user from further access.

    To enable Workload security in BlueXP ransomware protection, go to the Settings page and select the Workload security connection option.

    For an overview of Data Infrastructure Insights Workload security, review About Workload security.

Tip If you don't have a license for Data Infrastructure Workload security and don't enable it in BlueXP ransomware protection, you won't see the anomalous user behavior information.

When malicious activity occurs, an alert is generated and an automated snapshot is taken.

View malicious activity from Autonomous Ransomware Protection only

When Autonomous Ransomware Protection triggers an alert in BlueXP ransomware protection, you can view the following details:

  • Entropy of incoming data

  • Expected creation rate of new files compared to detected rate

  • Expected deletion rate of files compared to detected rate

  • Expected rename rate of files compared to detected rate

  • Impacted files and directories

Note These details are viewable for NAS workloads. For SAN environments, only the entropy data is available.
Steps
  1. From the BlueXP ransomware protection menu, select Alerts.

  2. Select an alert.

  3. Review the incidents in the alert.

    Alert incidents page

  4. Select an incident to review the details of the incident.

View anomalous user behavior in Data Infrastructure Insights Workload security

When Data Infrastructure Insights Workload security triggers an alert in BlueXP ransomware protection, you can view the suspicious user, block the user, and investigate the user activity directly in Data Infrastructure Insights Workload security.

Tip These features are in addition to the details available from just Autonomous Ransomware Protection.
Before you begin

This option requires a license for Data Infrastructure Insights Workload security and that you enable it in BlueXP ransomware protection.

To enable Workload security in BlueXP ransomware protection, do the following:

  1. Go to the Settings page.

  2. Select the Workload Security connection option.

Steps
  1. From the BlueXP ransomware protection menu, select Alerts.

  2. Select an alert.

  3. Review the incidents in the alert.

    Alert incidents page showing Workload Security details

  4. To block a suspected user from further access in your environment that is monitored by BlueXP, select the Block user link.

  5. Research the alert or an incident in the alert:

    1. To research the alert further in Data Infrastructure Insights Workload security, select the Investigate in Workload security link.

    2. Select an incident to review the details of the incident.

      Data Infrastructure Insights Workload Security opens in a new tab.

      Investigate in Workload Security

Mark ransomware incidents as ready for recovery (after incidents are neutralized)

After stopping the attack, notify your storage administrator that the data is ready so they can start recovery.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps
  1. From the BlueXP ransomware protection menu, select Alerts.

    Alerts page

  2. In the Alerts page, select the alert.

  3. Review the incidents in the alert.

    Alert incidents page

  4. If you determine that the incidents are ready for recovery, select Mark restore needed.

  5. Confirm the action and select Mark restore needed.

  6. To initiate the workload recovery, select Recover workload in the message or select the Recovery tab.

Result

After the alert is marked for restore, the alert moves from the Alerts tab to the Recovery tab.

Dismiss incidents that are not potential attacks

After you review incidents, you need to determine whether the incidents are potential attacks. If the previous condition is not met, they can be dismissed.

You can dismiss false positives or decide to recover your data immediately. If you dismiss the alert, the service learns this behavior, associates it with normal operations, and doesn't initiate an alert on such a behavior again.

If you dismiss a workload, all snapshot copies taken automatically in response to a potential ransomware attack are permanently deleted.

Caution If you dismiss an alert, you cannot change that status back to any other status and you cannot undo this change.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps
  1. From the BlueXP ransomware protection menu, select Alerts.

    Alerts page

  2. In the Alerts page, select the alert.

    Alert incidents page

  3. Select one or more incidents. Or, select all incidents by selecting the Incident ID box at the top left of the table.

  4. If you determine that the incident is not a threat, dismiss it as a false positive:

    • Select the incident.

    • Select the Edit status button above the table.

      Alert Edit Status page

  5. From the Edit status box, select the “Dismissed” status.

    Additional information about the workload and that snapshot copies are deleted appears.

  6. Select Save.

    The status on the incident or incidents changes to “Dismissed.”

View a list of impacted files

Before you restore an application workload at the file level, you can view a list of impacted files. You can access the Alerts page to download a list of impacted files. Then use the Recovery page to upload the list and choose which files to restore.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about BlueXP access roles for all services.

Steps

Use the Alerts page to retrieve the list of impacted files.

Tip If a volume has multiple alerts, you might need to download the CSV list of impacted files for each alert.
  1. From the BlueXP ransomware protection menu, select Alerts.

  2. On the Alerts page, sort the results by workload to show the alerts for the application workload that you want to restore.

  3. From the list of alerts for that workload, select an alert.

  4. For that alert, select a single incident.

    list of impacted files for a specific alert

  5. For that incident, select the download icon and download the list of impacted files in CSV format.