Determine whether a ransomware attack is real in ONTAP
When Autonomous Ransomware Protection (ARP) detects abnormal activity in a protected volume, it issues a warning and shows suspected files or entropy spike details. You are responsible for evaluating this unusual activity to determine whether it is acceptable (a false positive) or potentially malicious.
Although ARP automates detection and snapshot creation, the final determination of whether a file or event is truly malicious requires manual investigation. ARP cannot definitively determine if an event is a real ransomware attack. It flags suspicious activity, but you'll need to investigate and confirm whether the event is actual ransomware or a false positive (benign activity).
The following examples can help you determine whether a ransomware attack is occurring.
|
|
You are solely responsible for evaluating all alerts, investigating suspected files, and determining the appropriate response to potential security threats in your environment. These example investigations are for informational purposes only and are not comprehensive. |
Examine the file extensions of reported files. An obvious sign of ransomware is the presence of files with unusual or random character combinations appended to their names. For example, a file called document.docx might become document.docx.wcry.
Known ransomware extensions include .wcry, .locked, .akira, .zcrypt, .phobos, and others. Research the extension online or with AI tools.
If the extension is not associated with ransomware, the alert is likely a false positive. If the extension is associated with ransomware, the likelihood of a real attack is greater.
|
|
Some ransomware does not change file extensions. The absence of unusual extensions does not eliminate the possibility of a ransomware attack. |
If the alert occurs within a few hours or days of enabling ARP, it is likely a false positive. If no alerts occur for several days after enabling ARP and then an alert appears, the likelihood of a true attack is greater.
Try opening flagged files with their associated applications.
If the file opens and the content is normal, it is likely a false positive. If the file cannot be opened or the content is unreadable, it might be encrypted by ransomware.
|
|
Opening suspected files carries risk. Ensure you follow your organization's security protocols when attempting to access potentially compromised files. |
Check for ransomware notes in affected directories (for example, README.txt or DECRYPT_INSTRUCTIONS.html).
If systems and applications are operating normally, the alert is likely a false positive. A sudden and unexplained spike in file system activity (reads, writes, and deletions) often indicates active ransomware encryption in the background.