Introduction: Navigating the Evolving Ransomware Threat

Ransomware attacks have become more frequent, sophisticated, and damaging over the past several years. Enterprises face serious risks that threaten business continuity, data integrity, and regulatory compliance. As cybercriminals evolve their tactics, traditional recovery methods often fall short—leaving organizations exposed to reinfection, data loss, and reputational harm. In this challenging landscape, enterprise customers need trusted solutions that not only restore operations but also ensure recovery environments are secure and uncompromised.

What Is Isolated Recovery Environment

NetApp Isolated Recovery Environment (IRE) is an advanced Ransomware recovery solution engineered to help enterprises recover safely and confidently from ransomware and other malicious attacks. Clean Restore creates an isolated recovery environment where data can be restored, analyzed, and validated before re-entering production. NetApp IRE utilizes the core NetApp ONTAP’s data technologies to provide lowest RPO and RTO based restore, so that your business is up and running with the latest clean data with confidence. Clean Restore purpose is to eliminate the risk of reinfection, assure the integrity of recovered data, and streamline compliance with regulatory mandates

IRE Key Capabilities

• Clean Restore: Establishes a secure, air-gapped space for inspecting workloads before restoring them, preventing malicious code from propagating back into production, and re-infecting your workloads.
• Leverages NetApp DATA ONTAP’s advanced technologies—including Snapshot, FlexClone, SnapMirror, SnapLock & SnapDiff—enabling forever incremental, immutable snapshots and backups, ensuring industry-leading Clean Restore.
• AI-Powered Advanced Ransomware Threat Detection:  Proprietary detection capability to find corrupted data through malicious encryption leveraging advanced AI/ML model helping to find partial encryption very effectively. Clean Restore swiftly identifies ransomware signatures, suspicious activity, and anomalous patterns within backup data.
• Purpose-Driven Design: Clean Restore is engineered to eliminate the risk of reinfection, maintain the integrity of recovered data, and simplify compliance with regulatory mandates.
• Forensic Analysis: Deep forensic helps to uncover the root cause of the attack, map infection pathways, and provide actionable insights for remediation.
• Validation Drills: Automated validation drills test restored data and systems, ensuring they are clean, operational, and compliant with security policies.

NetApp Ransomware Resilience overview

NetApp Ransomware Resilience provides full use of several NetApp technologies so that the storage administrator, data security administrator, or security operations engineer can accomplish the NIST Cybersecurity framework.

• Identify all application-based, file-share, or VMware-managed workloads in NetApp on-premises NAS (NFS or CIFS) and SAN (FC, iSCSI, and NVMe) systems across the NetApp Console, projects, and Console agents. Ransomware Resilience categorizes the data priority and provides recommendations to you for ransomware resilience improvements.
• NetApp Ransomware Resilience leverages NetApp Data Classification to scan and classify the data in a file share workload. Classifying data helps you determine whether the dataset includes personally identifiable information (PII), which can increase security risks.
• Protect your workload by enabling backups, snapshot copies, and ransomware protection strategies on your data. The snapshots are created as immutable in copy primary, secondary storage leveraging NetApp Tamper Proof, SnapLock technologies. DataLock Extends immutability to object stores, ensuring backup data is protected from being altered even after it's been stored offsite.
• Detect potential ransomware attacks. NetApp Ransomware Resilience now detects ransomware user behavior leveraging new AI-powered threat detection of potential rasomware user/entity access of sensitive data. Ransomware Resilience detects three stages of a ransomware attack Data Breach, providing early warning signal of data exfiltration, Data Destruction, Suspicious User Behavior.
• NetApp Ransomware Resilience also leverages ONTAP’s Autonomous Ransomware Protection with AI (ARP.AI) an additional detection of encryption built into ONTAP.
• Respond to potential ransomware attacks by automatically initiating a tamper-proof NetApp ONTAP snapshot that is locked so that the copy cannot be deleted accidentally or maliciously. Your backup data will stay immutable and protected end to end from ransomware attacks at the source and in the destination.
• Recover your workloads with or without an IRE.
• Without an IRE, Ransomware Resilience orchestrates several NetApp Restore strategies to help you recover VM/App/Storage consistent workloads across all their volumes. You can also recover specific volumes or files at scale to minimize your data loss. Ransomware Resilience also provides recommendations on the best options.
• With Clean Restore, you can also automatically provision an IRE and isolated clean rooms for each workload that ensures malware-free workloads are available for recovery to minimize the chance of re-infection.
• Provides powerful forensics that creates and recommends two safe recovery options; fastest recovery from a safe snapshot or a curated safe recovery from the latest available clean copy of impacted files that reduce RTO or RPO.

NetApp Clean Restore IRE Reference Architecture

How Clean Restore Works

NetApp Clean Restore (CRR) integrates seamlessly with existing data infrastructure.  Customers can choose Clean Restore option to identify and clean malware using an isolated recovery environment before restoring workloads to reduce the risk of re-infection. This clean room recovery workflow consists of 6 phases described below.

1.     Setup:

This process creates IRE (Isolated Recovery Environment) in customers’ cloud account or on-premises compute environment. Each workload gets its own isolated clean room (recovery session), and multiple workloads can be recovered at the same time.

• IREs resides in a separate virtual private cloud to isolate the spreading of malware to the production network during the cleansing process.
• NetApp IRE agent VM instance runs in a control subnet coordinates the Analysis, Plan and Cleaning operations by listening to messages from the NetApp Ransomware Resilience control plane.
• Dedicated Detection & Cleaning VM Instances are created inside the  dedicated isolated clean room Private subnet for each clean room session. 
• Dedicated CRR SVM is provisioned by Ransomware Resilience service per Primary storage cluster to allow secure access to the snapshots for analysis. Only CRR SVM has connectivity to IRE network and not primary storage.
• CRR uses ONTAP Flexclone technology to create faster & efficient read write clone of Snapshots from the production ONTAP SVM for analysis in the Clean Room.
• Flexclone volumes are created in CRR SVM for snapshots which need to be analyzed from Primary storage SVM. Dedicated NFS Export Policies are created and attached to the Flexclone volumes, so that access can be restricted only to Detection and Cleaning VM instances in the IRE for performing the ransomware analysis.
• Security Groups and Routing rules are configured to enable the narrow and restricted access”.  Outbound Rules in the IRE are dynamically updated with CRR SVM’s Data LIF IP access, this ensures only the CRR SVMs Data LIF is reachable from cleanroom for mounting the clones for analysis. Similarly, the Security Group in the Production network is updated to allow Outbound only to the Detection and Cleaning VM instances.
• Finally, customers must accept the VPC cloud peering for IRE network to be able to connect to the CRR SVM, this gives complete control to the customer to allow Primary storage connectivity to the IRE network.

2.     Analysis:

Analysis phase connects with NetApp Primary storage systems to access snapshots contents from either primary, secondary or backup in a 3-2-1 topology for Ransomware analysis. This phase determines the File level encryption status of all the modified files in every snapshot until a clean Unencrypted snapshot is found. This step then creates a Recovery Map which captures the encryption status of each modified file in each Snapshot. This allows CRR to identify the recommended restore point for each file.

• This step performs secure mount of Flex Cloned volume(s) backed by Primary snapshot(s) from CRR SVM controlled by session specific Export Policies. Flex clones are mounted to the Detection Compute VMs to scan for encryption status of files using Advanced Ransomware Detection.
• Advance Ransomware Detection (ARD) - Proprietary detection capability to find corrupted data through malicious encryption. ARD uses advanced AI/ML model and scans data corruption using diverse set of features helping to find partial encryption very effectively.
• Analysis phase builds catalog of modified files leveraging NetApp SnapDiff technology. SnapDiff allows to retrieve only the changed files between snapshots, this allows faster scanning of modified files, rather than a Full Volume Scan, which can be costly operation.
• Clean Restore also retrieves the list of suspicious file list from ARP.AI following a Ransomware attack. CRR adds the suspicious file list also to the list of files to be scanned and identifies latest unencrypted copy of each Impacted file using ARD.
• ARD is run on each file list returned by SnapDiff and Suspicious Files to determine the file level encryption status. CRR captures the list of unimpacted and impacted files across each recovery point. CRR maintains the detailed history of file modification with encryption timeline for each file.
• This procedure is repeated for each snapshot or backup to determine the 'Latest Unimpacted Restore Point'.  CRR stops scanning the files once this snapshot is determined. Recovery Map is created to capture the encryption status of each modified file in each Snapshot. This allows CRR to identify the recommended restore point for each file.

3.      Planning

• Planning phase creates a curated restore point which contains the latest clean copy of each file to provide the Lowest Data Loss. CRR automatically performs this using the Recovery Map computed in the Analysis phase providing peace of mind to the customers to get the latest unencrypted copy with minimum data loss for the business.  Fastest Recovery option is also provided to allow the customers to quickly restore the latest unimpacted restore point.
• Storage Admin can now choose between Lowest Data Loss or Fastest Recovery (latest unimpacted restore point) options to perform the recovery.
• Lowest Data loss option will curate the latest restore point with latest clean copy of every file providing the lowest RPO. NetApp Data ONTAP incremental snapshot restore is used to perform a storage efficient copy of the cleaned version of each File(s) from the respective recovery point(s) to the latest recovery point.
• Fastest recovery will simply recover from the latest unimpacted restore point, with this option customers will observe data loss for the files modified since the identified unimpacted restore point, but this option will help to get the business up and run faster.

File Recovery Maps

4.     Cleaning

• In the Cleaning step, CRR removes the Malware signatures from the selected Restore point. CRR leverages Microsoft Defender to clean or quarantine the malware.
• CRR mounts the selected Restore point to the Cleaning Compute VM and then perform the Defender scan.
• Defender scans the Restore point for any malware, and the status of the operation is displayed to the user and captured in the report for further analysis.

5.     Recovery

• Storage Admin can then perform the restore of the selected Restore point to original or alternate location
• Leveraging the magic of NetApp DATA ONTAP Snapshot Restore and SnapMirror Resync functionality, the production volume is restored quickly to get the workload back in action. Snapshots are restored incrementally; this gives best RTO for the restore operation.

6.     Forensic Validation

In the isolated cleanroom, forensic tools inspect and validate data integrity, ensuring no remnants of malware remain. Customers will get access to both cleaned and the original recovery points for forensic analysis.

7.     Compliance Reporting

Storage Admin can review the detail summary of each stage of the restore process from Staging, Analysis, Planning, Cleaning and Recovery. Generates detailed reports to satisfy regulatory requirements and demonstrate due diligence in recovery operations.

Empowering the Future of Cyber Resilience

NetApp is committed to advancing innovations in cyber resilience for our enterprise’s customers worldwide. Clean Restore is a cornerstone of our vision: enabling organizations to not only recover from attacks, but also strengthen their defenses, reduce downtime, and safeguard critical data assets. As threats evolve, NetApp continues to innovate, delivering solutions that blend security, intelligence, and operational agility.