Your backups are a target: ransomware attackers have shifted their attention to making backup copies unusable. That’s because backups can be the last resort business have to restore business operations following an attack without paying a ransom. Protecting backup data copies with ransomware recovery capabilities should be top priority for any organization.
NetApp BlueXP backup and recovery leverages a new ransomware protection feature to help achieve this goal. In this blog we will explore this new feature in detail and see how BlueXP can provide comprehensive protection for your business-critical backup data.
Read on or use the links below to jump down to:
In the event of a ransomware attack, the timely availability and integrity of backup copies can save the day. With data locking and ransomware protection features, BlueXP backup and recovery protects your backup storage from ransomware attacks.
With BlueXP backup and recovery’s DataLock, customers can leverage the native WORM (Write Once Read Many) capabilities of cloud object storage services as well as on-prem with NetApp StorageGRID®. WORM storage ensures that, once written to the object storage, the data cannot be deleted or overwritten. The data remains immutable and protected even if any ransomware attack vector manages to make its way to the backup storage destination.
Additionally, BlueXP supports backing up WORM ONTAP volumes created using NetApp SnapLock technology to object storage. By using that capability alongside DataLock, the backup data remains protected as WORM in the destination object storage repository as well. That means end-to-end immutable data protection is native to BlueXP.
To protect against ransomware that targets backup copies, BlueXP backup and recovery scans your backup copies, verifying the different backup object versions’ checksums to detect any ransomware attempts. If any such an attempt is detected, an alert is immediately sent to the administrators, and a recovery process is automatically initiated that restores the last consistent version of the backup.
The ransomware protection setup definition is part of the backup activation. This is done under the “Define Policy” screen, in the “Activate Backup for Working Environment” wizard. Ransomware protection is available in both Governance and Compliance modes.
The ransomware scans will start as soon as you enable the BlueXP backup and recovery capability in the working environment and set up "DataLock and Ransomware Protection."
The scans are triggered in the following scenarios:
Once an attack is detected, an alert is generated to inform administrators about the attack, and the last consistent version of the backup data copy will be considered the source of truth. The recovery process will convert that copy to be the current version. This means that the attempt to change the object did not succeed (because of DataLock protection), and the attacker doesn’t know that.
The status of the ransomware scan will be shown in the Browse & Restore pages in the “Select Source” window.
When the ransomware scan feature scans your backups, it generates alerts that are sent to the administrators when it detects any attempt to edit or delete objects in the object storage repository where the backup is stored. The attempt to change the object data will not succeed, a fact that the BlueXP administrator will know, but the attackers won’t.
Alerts are sent over email to administrators and also displayed in multiple places in the BlueXP UI: the Backup & Restore page, the Backup Details page, the BlueXP notification center, and the Search and Restore page. Let’s take a look at some examples below.
The Backup & Restore Page
The Ransomware Protection column on this page shows your working environments’ DataLock mode along with the findings of their last ransomware scans.
The BlueXP notification panel
The ransomware detection notification shows up on the BlueXP notification center when a potential attack is identified on any of the working environments.
With DataLock and ransomware protection features BlueXP’s backup and restore help build a strong fort around your backup data copies. While DataLock makes the backup immutable in the object storage, ransomware protection lets you know about possible attack vectors attempting to access the data. This feature does not require any dedicated licensing, and comes included natively in the BlueXP backup and restore functionality.
With ransomware protection and DataLock built in, BlueXP offers an enterprise-class backup solution for your data estate. You can offer SLAs with confidence for your customers as data recovery in the event of a ransomware attack is assured. Read more on how to increase your cyber resilience with BlueXP here.