Skip to main content
NetApp Ransomware Resilience

Conduct a ransomware attack readiness drill in NetApp Ransomware Resilience

Contributors netapp-ahibbard amgrissino

Run a ransomware attack readiness drill in NetApp Ransomware Resilience to test your readiness for a real ransomware attack. With the readiness drill, Ransomware Resilience simulates an attack on a new sample workload, allowing you to investigate the simulated attack and perform a recovery without impacting your real production data. The readiness drill helps familiarize you with alert notifications and prepare you for response and recovery. You can run the drill as frequently as you need.

You can run readiness drills on NFS and CIFS (SMB) workloads.

How readiness drills work

Ransomware Resilience supports three types of drills: clean restore, custom recovery, and data breach recovery. Clean restore and custom recovery drills simulate encryption (entropy)-based attacks and differ in the recovery method that they offer. Data breach recovery drills simulate exfiltration with unusual read patterns on your data.

When you configure a readiness drill, Ransomware Resilience creates a test volume, applies ransomware protection with a snapshot policy to the volume, validates connectivity, mounts the volume, copies baseline data, unmounts the volume, and creates a baseline snapshot.

When you initiate the drill, Ransomware Resilience mounts the volume then simulates a ransomware attack. If the readiness drill is for custom recovery or clean restore, the baseline data of the test volume is replaced with file extensions known to be ransomware and encrypted/entropy-modified files. For a data breach recovery drill, files are not replaced; instead, Ransomware Resilience mimics an attacker systematically reading and exfiltrating data. Regardless of the drill type, Ransomware Resilience then triggers an alert and verifies that the alert was generated successfully.

When you run the drill, you can test your response to alerts and optionally walk through the recovery process without impacting real data.

Configure a ransomware attack readiness drill

Required Console role
To perform this task, you need the Super admin or Ransomware Resilience admin role. Learn about Ransomware Resilience roles for NetApp Console.

Steps
  1. In Ransomware Resilience, select Settings.

  2. In the Readiness drill tile, select Configure.

  3. Choose the Readiness drill type.

    • Custom recovery: Respond to an encryption (entropy) attack with a custom restore where you configure the recovery point.

    • Clean restore: Respond to an encryption (entropy) attack with a clean restore process for recovery, which guides you toward optimized recovery points.

    • Data breach recovery: You must have configured a user activity agent before you can enable this drill type.

  4. Choose the environment where the readiness drill test will be created.

    1. Choose the Console agent and System.

    2. After choosing the System, choose the Storage VM from the prepopulated list.

    3. Provide a name for the New test workload. The test workload will be prepended with "rps_test_".

    4. If the readiness drill is for data breach recovery, select the User activity agent for the drill environment.

      Screenshot of readiness drill configuration options.

  5. Select Save.

Tip You can edit the readiness drill configuration later using the Settings page.

Start a readiness drill

After you configure the readiness drill, you can start the drill.

Required Console role
To perform this task, you need the Super admin or Ransomware Resilience admin role. Learn about Ransomware Resilience roles for NetApp Console.

Steps
  1. To initiate the drill:

    • From the Ransomware Resilience dashboard, select the Run readiness drill button at the top right.

      Dashboard page showing the Run readiness drill button

    • Or go to Settings. In the Readiness drill tile, select Start.

Note You can't edit the readiness drill configuration while the drill is running. To modify the readiness drill, select Reset, then edit the drill.

Respond to a readiness drill alert

Test your readiness by responding to a readiness drill alert.

Required Console role
To perform this task, you need the Super admin or Ransomware Resilience admin role. Learn about Ransomware Resilience roles for NetApp Console.

Steps
  1. From the Ransomware Resilience menu, select Alerts.

    The Console displays the Alerts page. In the Alert ID column, you see "Readiness drill" next to the ID.

    Alerts page showing the readiness drill alert

  2. Select the alert with the "Readiness drill" indication.

    Alerts details page showing the readiness drill alert

  3. Review the alert incidents.

  4. Select an alert incident.

    Incident page showing the readiness drill alert

When reviewing the incident, consider:

  • The potential attack severity.

    If the severity indicates that a user is suspected of malicious activity, review the user name. You can also block the user.

  • The file activity versus expected rates. This includes read/write rate, file creation, file renaming, and deletion.

  • The list of impacted files. Look at the extensions that might be causing the attack.

  • Determine the impact and breadth of the attack by reviewing the number of impacted files and directories.

Restore the test workload

After reviewing the readiness drill alert, restore the test workload if needed.

Required Console role
To perform this task, you need the Super admin or Ransomware Resilience admin role. Learn about Ransomware Resilience roles for NetApp Console.

Steps
  1. Return to the Alert details page.

  2. If the test workload should be restored, select Mark restore needed then select that button again in the confirmation dialog.

  3. From the Ransomware Resilience menu, select Recovery.

  4. Select the test workload marked with the "Readiness drill" tag that you want to restore.

  5. Select Restore.

  6. Follow the instructions for the recovery style you've configured:

Change the alert status after the readiness drill

After reviewing the readiness drill alert and restoring the workload, change the alert status if needed.

Required Console role
Organization admin, Folder or project admin, or Ransomware Resilience admin. Learn about Console access roles for all services.

Steps
  1. Return to the Alert details page.

  2. Select the alert again.

  3. Indicate the status by selecting Edit next to the status. Change the status to one of the following:

    • Dismissed: If you suspect that the activity is not a ransomware attack, change the status to Dismissed.

      Important After you dismiss an attack, you cannot change it back. If you dismiss a workload, all snapshot copies taken automatically in response to the potential ransomware attack will be permanently deleted. If you dismiss the alert, the readiness drill is considered complete.
    • Resolved: The incident has been mitigated.

Review reports on the readiness drill

After the readiness drill is complete, you can generate and save a report on the drill. The drill report is a JSON file that captures information such as the detection policy, the alert type and timestamp, details of the attack, and recovery status.

Required Console role
To perform this task, you need the Super admin, Ransomware Resilience admin, or Ransomware Resilience viewer role. Learn about Ransomware Resilience roles for NetApp Console.

Steps
  1. From the Ransomware Resilience menu, select Reports.

    Reports page showing the readiness drill report

  2. Select Readiness drills and Download to download the readiness drill report.