Ransomware attacks are catastrophic and the biggest nightmares for organizations. We understand that ransomware protection requires more than detection and with Active IQ Unified Manager 9.10, we’ve got you covered!

I am excited to announce that we just added a new feature to Active IQ Unified Manager that will protect you in the event of a ransomware attack. ONTAP 9.10.1 introduces the ransomware detection feature where ONTAP will continuously monitor your volumes at the File level. It keeps a check on the entropy and file-level activity logging to understand whether the system is reflecting the expected behaviour. In case of any abnormal file level activity, an automatic alert is generated by ONTAP which allows administrators to dig in further to determine whether the activity is indeed malicious and take appropriate actions.

Active IQ Unified Manager 9.10 brings in all the ONTAP events raised for ransomware detection feature at volume and Storage VM level as AIQUM events. As part of this release, the following new events have been introduced –

Just like any other ONTAP EMS event, Unified Manager offers a detailed view for Anti-Ransomware events on the Event Management page. Similar to all the ONTAP events, these can be assigned, acknowledged, marked as resolved and alerts can be added.

You can go ahead and set up alerts for the anti-ransomware events just like any other alert -

Not only that you are alerted of the potential attacks but AIQUM also offers recommendations to fix these threats. Not to worry as AIQUM is at your aid to prevent the malicious cyber attacks by providing management actions through ‘Fix-It’ buttons. You can simply enable/ disable the Anti-Ransomware feature on suitable volumes and storage virtual machines with these one click remediations available.

Here is what AIQUM offers as remediations to combat Ransomware attacks and keeps your data secure –

• Configure Storage VM Anti-ransomware Learning - If an SVM supports all NFS/SMB protocols then it is a good candidate to be tried for the ARW feature. UM raises an event and a fix-it that sets the SVM in a dry-run mode including all new volumes provisioned.

• Configure Volume Anti-ransomware Learning - If a volume supports only NFS/SMB protocol then it is a good candidate to try out the ARW feature. UM raises an event and a fix-it that sets the volume with the ARW feature in dry-run mode.

• Enable Volume Anti-ransomware - When a volume is in dry-run configuration mode for about 45 days, AQIUM raises an event and a fix-it that sets the volume with the ARW feature in active mode.

• Disable Volume Anti-ransomware – When a high-rate of false positives are observed in a volume under ARW (e.g. 10 per 30 days ) as EMS events, then the volume may not be suited for it. AIQUM raises an event and a fix-it to disable  ARW on that volume

Try It Out!

Now that you’ve read about our new Anti-Ransomware support feature, we hope it entices you to update and try Active IQ Unified Manager 9.10.

If you would like more information, contact us (ng-aiqum-feedback@netapp.com) and we would be happy to answer your questions.