Skip to main content
NetApp Ransomware Resilience

Recover from a ransomware attack with a custom restore in NetApp Ransomware Resilience

Contributors netapp-ahibbard
PDFs

With Ransomware Resilience, storage administrators can determine how best to restore workloads either from the recommended restore point or the preferred restore point.

Tip Ransomware Resilience also supports a clean restore option, which provides guided recovery and advanced capabilities to ensure only clean and unencrypted data is recovered.

Restore a workload

Required Console role
Organization admin, Folder or project admin, or Ransomware protection admin. Learn about Console access roles for all services.

The security storage admin can recover data at different levels:

  • Recovery all volumes

  • Recover an application at the volume level or file and folder level.

  • Recover a file share at the volume level, directory, or file/folder level.

  • Recover from a datastore at a VM level.

The process differs depending on the workload type.

Steps

  1. From the Ransomware Resilience menu, select Recovery.

  2. Review the workload information in the Recovery page.

  3. Select a workload that is in the "Restore needed" state.

  4. To restore, select Restore.

  5. Select Custom restore to proceed without cleaning the files.

  6. Restore scope: Select the type of restore you want to complete:

    • All volumes

    • By volume

    • By file: You can specify a folder or single files to restore.

      Important For SAN workloads, you can only restore by workload.
      Tip You can select up to 100 files or a single folder.

  7. Continue with one of the following procedures depending on whether you chose application, volume, or file.

Restore all volumes

  1. From the Ransomware Resilience menu, select Recovery.

  2. Select a workload that is in the "Restore needed" state.

  3. To restore, select Restore.

  4. On the Restore page, in the Restore scope, select All volumes.

    Restore by all volumes page

  5. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip Ransomware Resilience identifies the best restore point as the latest backup just before the incident and shows a "Safest for all volumes" indication. This means that all volumes will be restored to a copy prior to the first attack on the first volume detected.

  6. Destination: Select the down arrow next to Destination to see details.

    1. Select the system.

    2. Select the Storage VM.

    3. Select the aggregate.

    4. Change the volume prefix that will be prepended to all new volumes.

      Tip The new volume name appears as prefix + original volume name + backup name + backup date.

  7. Select Save.

  8. Select Next.

  9. Review your selections.

  10. Select Restore.

  11. From the top menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore an application workload at the volume level

  1. From the Ransomware Resilience menu, select Recovery.

  2. Select an application workload that is in the "Restore needed" state.

  3. To restore, select Restore.

  4. On the Restore page, in the Restore scope, select By volume.

    Restore by volume page

  5. On the list of volumes, select the volume you want to restore.

  6. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip Ransomware Resilience identifies the best restore point as the latest backup just before the incident and shows a "Recommended" indication.

  7. Destination: Select the down arrow next to Destination to see details.

    1. Select the system.

    2. Select the Storage VM.

    3. Select the aggregate.

    4. Review the new volume name.

      Tip The new volume name appears as the original volume name + backup name + backup date.

  8. Select Save.

  9. Select Next.

  10. Review your selections.

  11. Select Restore.

  12. From the top menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore an application workload at the file level

Before you restore an application workload at the file level, you can view a list of impacted files. You can access the Alerts page to download a list of impacted files. Then use the Recovery page to upload the list and choose which files to restore.

You can restore an application workload at the file level to the same or different system.

Retrieve a list of impacted files

Use the Alerts page to retrieve the list of impacted files.

Tip If a volume has multiple alerts, you need to download the CSV list of impacted files for each alert.
Steps

  1. From the Ransomware Resilience menu, select Alerts.

  2. On the Alerts page, sort the results by workload to show the alerts for the application workload that you want to restore.

  3. From the list of alerts for that workload, select an alert.

  4. For that alert, select a single incident.

    list of impacted files for a specific alert

  5. To see the full list of files, select Click here at the top of the Impacted files pane.

  6. For that incident, select the download icon and download the list of impacted files in CSV format.

Restore the files

After assessing the impacted files, you can restore them.

Steps

  1. From the Ransomware Resilience menu, select Recovery.

  2. Select an application workload that is in the "Restore needed" state.

  3. Select Restore.

  4. On the Restore page, in the Restore scope, select By file.

  5. On the list of volumes, select the volume that contains the files that you want to restore.

  6. Restore point: Select the down arrow next to Restore point to see details. Select the restore point that you want to use to restore the data.

    Note The Reason column in the Restore points pane shows the reason for the snapshot or backup as either "Scheduled" or "Automated response to ransomware incident."

  7. Files:

    • Automatically select files: Let Ransomware Resilience select the files to be restored.

    • Upload list of files: Upload a CSV file that contains the list of impacted files that you got from the Alerts page or that you have. You can restore up to 10,000 files at a time.

      Upload CSV file that lists the impacted files for the alert

    • Manually select files: Select up to 10,000 files or a single folder to restore.

      Select files manually to restore

      Note If any files cannot be restored using the selected restore point, a message appears indicating the number of files that cannot be restored and lets you download the list of those files by selecting Download list of impacted files.

  8. Destination: Select the down arrow next to Destination to see details.

    1. Choose where to restore the data: original source location or an alternate location that you can specify.

      Tip While the original files or directory will be overwritten by the restored data, the original file and folder names will remain the same unless you specify new names.

    2. Select the system.

    3. Select the Storage VM.

    4. Optionally, enter the path.

      Tip If you don't specify a path for the restore, the files will be restored to a new volume at the top-level directory.

    5. Select whether you want the names of the restored files or directory to be the same names as the current location or different names.

  9. Select Next.

  10. Review your selections.

  11. Select Restore.

  12. From the top menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore a file share or datastore

  1. After selecting a file share or datastore to restore, on the Restore page, in the Restore scope, select By volume.

    Recovery page showing file share recovery

  2. On the list of volumes, select the volume you want to restore.

  3. Source: Select the down arrow next to Source to see details.

    1. Select the restore point that you want to use to restore the data.

      Tip Ransomware Resilience identifies the best restore point as the latest backup just before the incident and shows a "Recommended" indication.

  4. Destination: Select the down arrow next to Destination to see details.

    1. Choose where to restore the data: original source location or an alternate location that you can specify.

      Tip While the original files or directory will be overwritten by the restored data, the original file and folder names will remain the same unless you specify new names.

    2. Select the system.

    3. Select the Storage VM.

    4. Optionally, enter the path.

      Tip If you don't specify a path for the restore, the files will be restored to a new volume at the top-level directory.

  5. Select Save.

  6. Review your selections.

  7. Select Restore.

  8. From the menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.

Restore a VM file share at the VM level

On the Recovery page after you selected a VM to restore, continue with these steps.

  1. Source: Select the down arrow next to Source to see details.

    Recovery page showing a VM being restored

  2. Select the restore point that you want to use to restore the data.

  3. Destination: To original location.

  4. Select Next.

  5. Review your selections.

  6. Select Restore.

  7. From the menu, select Recovery to review the workload on the Recovery page where the status of the operation moves through the states.