Anti-ransomware overview


Beginning with ONTAP 9.10.1, the anti-ransomware feature uses workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack.

When an attack is suspected, anti-ransomware also creates new Snapshot backups, in addition to existing protection from scheduled Snapshot copies.

The anti-ransomware feature requires the Multi-tenant Encryption Key Management (MT_EK_MGMT) license, which is available in the security and compliance bundle.

ONTAP ransomware protection strategy

An effective ransomware detection strategy should include more than a single layer of protection.

An analogy would be the safety features of a vehicle. You wouldn’t want to rely on a single feature, such as a seatbelt, to completely protect you in an accident. Air bags, anti-lock brakes, and forward-collision warning are all additional safety features that will lead to a much better outcome. Ransomware protection should be viewed in the same way.

While ONTAP includes features like FPolicy, Snapshot copies, SnapLock, and Active IQ Digital Advisor to help protect from ransomware, the focus of this content is the ONTAP anti-ransomware on-box feature with machine-learning capabilities.

To learn more about ONTAP’s other anti-ransomware features, see: TR-4572: NetApp Solution for Ransomware.

What ONTAP anti-ransomware detects

There are two types of ransomware attacks:

  1. Denial of service to files by encrypting data.
    The attacker withholds access to this data unless a ransom is paid.

  2. Theft of sensitive proprietary data.
    The attacker threatens to release this data to the public domain unless a ransom is paid.

ONTAP ransomware protection addresses the first type, with an anti-ransomware detection mechanism that is based on:

  1. Identification of the incoming data as encrypted or plaintext.

  2. Analytics, which detects

    • High data entropy (an evaluation of the randomness of data in a file)

    • A surge in abnormal volume activity with data encryption

    • An extension that does not conform to the normal extension type

Note No ransomware detection or prevention system can completely guarantee safety from a ransomware attack. While it’s possible an attack might go undetected, NetApp ransomware protection acts as an important additional layer of defense if anti-virus software has failed to detect an intrusion. Anti-ransomware can detect the spread of most ransomware attacks after only a small number of files are encrypted, take action automatically to protect data, and alert you that a suspected attack is happening.

How to recover data in ONTAP after a ransomware attack

When an attack is suspected, the system takes a volume Snapshot copy at that point in time and locks that copy. If the attack is confirmed later, the volume can be restored to this proactively taken snapshot, minimizing the data loss.

Locked Snapshot copies cannot be deleted by normal means. However, if you decide later to mark the attack as a false positive, the locked copy will be deleted.

With the knowledge of the affected files and the time of attack, it is possible to selectively recover the affected files from various Snapshot copies, rather than simply reverting the whole volume to one of the snapshots.

Anti-ransomware thus builds on proven ONTAP data protection and disaster recovery technology to respond to ransomware attacks. See the following topics for more information on recovering data.