hamburger icon close icon
Ransomware Recovery

The BlueXP Feature that Protects Backups from Ransomware

Your backups are a target: ransomware attackers have shifted their attention to making backup copies unusable. That’s because backups can be the last resort business have to restore business operations following an attack without paying a ransom. Protecting backup data copies with ransomware recovery capabilities should be top priority for any organization.

NetApp BlueXP backup and recovery leverages a new ransomware protection feature to help achieve this goal. In this blog we will explore this new feature in detail and see how BlueXP can provide comprehensive protection for your business-critical backup data.

Read on or use the links below to jump down to:

How BlueXP Protects Your Backup Data

In the event of a ransomware attack, the timely availability and integrity of backup copies can save the day. With data locking and ransomware protection features, BlueXP backup and recovery protects your backup storage from ransomware attacks.

Immutable Backup Storage With Data Locking

With BlueXP backup and recovery’s DataLock, customers can leverage the native WORM (Write Once Read Many) capabilities of cloud object storage services as well as on-prem with NetApp StorageGRID®. WORM storage ensures that, once written to the object storage, the data cannot be deleted or overwritten. The data remains immutable and protected even if any ransomware attack vector manages to make its way to the backup storage destination.

Additionally, BlueXP supports backing up WORM ONTAP volumes created using NetApp SnapLock technology to object storage. By using that capability alongside DataLock, the backup data remains protected as WORM in the destination object storage repository as well. That means end-to-end immutable data protection is native to BlueXP.

Ransomware Scanning

To protect against ransomware that targets backup copies, BlueXP backup and recovery scans your backup copies, verifying the different backup object versions’ checksums to detect any ransomware attempts. If any such an attempt is detected, an alert is immediately sent to the administrators, and a recovery process is automatically initiated that restores the last consistent version of the backup.

How Ransomware Protection Works

DataLock and Ransomware Protection Setup

The ransomware protection setup definition is part of the backup activation. This is done under the “Define Policy” screen, in the “Activate Backup for Working Environment” wizard. Ransomware protection is available in both Governance and Compliance modes.

The ransomware scans will start as soon as you enable the BlueXP backup and recovery capability in the working environment and set up "DataLock and Ransomware Protection."

Setting-up-DataLock-and-ransomware-protectionSetting up DataLock and ransomware protection

Scans Triggers

The scans are triggered in the following scenarios:

  • When the backup copy is transferred to the object storage
  • Before the restoration process
  • On demand, manually started by an administrator

The Recovery Process

Once an attack is detected, an alert is generated to inform administrators about the attack, and the last consistent version of the backup data copy will be considered the source of truth. The recovery process will convert that copy to be the current version. This means that the attempt to change the object did not succeed (because of DataLock protection), and the attacker doesn’t know that.

The status of the ransomware scan will be shown in the Browse & Restore pages in the “Select Source” window.

Ransomware-scan-resultsThe Browse and Restore page, showing the ransomware scan results.

Ransomware Attempt Detection and Alerts

When the ransomware scan feature scans your backups, it generates alerts that are sent to the administrators when it detects any attempt to edit or delete objects in the object storage repository where the backup is stored. The attempt to change the object data will not succeed, a fact that the BlueXP administrator will know, but the attackers won’t.

Alerts are sent over email to administrators and also displayed in multiple places in the BlueXP UI: the Backup & Restore page, the Backup Details page, the BlueXP notification center, and the Search and Restore page. Let’s take a look at some examples below.

The Backup & Restore Page
The Ransomware Protection column on this page shows your working environments’ DataLock mode along with the findings of their last ransomware scans.

Identifying-potential-ransomwareIdentifying potential ransomware on the backup volume page.

The BlueXP notification panel
The ransomware detection notification shows up on the BlueXP notification center when a potential attack is identified on any of the working environments.

Ransomware-detection-alert-notificationRansomware detection alert notification


With DataLock and ransomware protection features BlueXP’s backup and restore help build a strong fort around your backup data copies. While DataLock makes the backup immutable in the object storage, ransomware protection lets you know about possible attack vectors attempting to access the data. This feature does not require any dedicated licensing, and comes included natively in the BlueXP backup and restore functionality.

With ransomware protection and DataLock built in, BlueXP offers an enterprise-class backup solution for your data estate. You can offer SLAs with confidence for your customers as data recovery in the event of a ransomware attack is assured. Read more on how to increase your cyber resilience with BlueXP here.


New call-to-action
Semion Mazor, Product Evangelist

Product Evangelist