Tech ONTAP Blogs
Tech ONTAP Blogs
Organizations continue to face the challenge of ransomware and attacks can cost a business time, resources, and reputation. An organization typically has two options after it has encountered ransomware: pay the ransom or restore from backups. Protection against ransomware attacks has become one of the high-priority requirements among customers.
Cloud Backup has now introduced support for DataLock and Ransomware protection on Cloud Snapshots. With this feature, Cloud Backup provides a mechanism to lock the Cloud Snapshots replicated via SM-C and provides the ability to detect a ransomware attack and recover a consistent copy of the cloud snapshot. The solution uses both SM-C and ADC to achieve the above functionality. Currently, the feature is supported only for StorageGRID and AWS.
To enable DataLock and Ransomware Protection, we have to choose the appropriate mode “Governance or Compliance” under the “DataLock and Ransomware Protection” section of the “Define Policy” UI of the “Activate Backup for Working Environment” wizard as shown below.
Important:-
When “DataLock and Ransomware Protection” is enabled, the cloud bucket that will be provisioned as a part of the backup activation process will have object locking enabled. It will also have Auto-purging of non-current versions on the bucket will be enabled and set to 1 day.
To enable DataLock and Ransomware on AWS S3, make sure the following permissions are available
In this section, we will discuss Cloud backup policy behavior when Cloud Backup is enabled with a Governance or Compliance policy in the Working Environment.
To lock an object, cloud providers provide a way to set the ‘Retention Until Date’ (RUD which is calculated based on the Snapshot Retention Period) in the object metadata during which the object version cannot be deleted or overwritten.
What is Snapshot Retention Period (SRP) and how is it calculated?
When “DataLock and Ransomware Protection” is enabled through the Cloud Backup policy, the Snapshot Retention Period’(SRP) is calculated as per the label and retention count defined by the user in the Cloud Backup policy.
The minimum SRP that will be assigned would be 30 days.
Let's try to understand how the Snapshot Retention Period (SRP) is calculated:
DataLock on an object is set by applying a retention period to an object version explicitly by specifying a “Retain Until Date or RUD” for the object version. Amazon S3 stores the Retain Until Date setting in the object version's metadata and protects the object version until the retention period expires.
What is Retention Until Date (RUD) and how is it calculated?
Example:-
Please Note:-
How do we set Retention Until Date (RUD) on the cloud backups?
Ransomware Scan
In this section, we will examine how Ransomware detection scans are run by Cloud Backup. As soon as you enable Cloud Backup in the Working environment and configure "DataLock and Ransomware Protection," the ransomware scans are initiated. The Ransomeware scans are run in the below-mentioned scenarios.
How does the scan work?
Now let's try to understand how the Ransomware scans work.
How does the Recovery process work?
When a Ransomware attack is detected, Cloud Backup uses the Active Data Connector Integrity Checker REST API to start the recovery process. The oldest version of the data objects is the source of truth and is made into the current version as part of the recovery process.
Let's see how this works:-
Please Note:-
• DataLock and Ransomware Protection feature scans only cloud backups. It does not support scanning local snapshots, Ransomware attacks on local snapshots cannot be detected.
In this section, we will look into the various Cloud Backup UI changes that were introduced to show the status and results of the DataLock and Ransomware Scan run on the cloud backups stored in the Cloud object store
Backup Volume Page
A new “Ransomware Scan” column has been introduced on the Backup Volume Page. It displays the different status of the Ransomware scans on a Volume level like potential ransomware identified, tool-tip showing the last scan time, and successful ransomware scan with scan time.
Backup Details Page
A new “Ransomware Scan” column has been introduced on the Backup Details Page. It displays the different status of the Ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with scan time.
Canvas Page
Notifications have been included on the Canvas Page which notifies that a potential ransomware attack has been identified on a backup copy of a specific volume related to a specific Working Environment.
Notifications have been included on the Canvas Page which notifies that a potential ransomware attack has been identified on a backup copy during the restore of a specific volume related to a specific Working Environment. It will also highlight that Cloud Backup reverted to the last good known version of the backup copy.
Browse and Restore Pages
A new “Ransomware Scan ” column has been introduced on the Selected Backup Details Page. It displays the different status of the Ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with the scan time.
Browse and Restore Pages – Restore Message
A “Ransomware Scan” UI will be shown upon selecting a snapshot to restore the backup. This restore confirmation message shows the details of the DataLock mode, and last run scan time information and also includes a recommendation to run a ransomware scan before proceeding with the scan. This is an optional scan, the user can uncheck to skip the ransomware scan.
Search and Restore Page
More details about the ransomware scan have been provided on the “Backup Details” right navigation pane UI. It displays the different status of the ransomware scans on the backup level like potential ransomware identified, tool-tip showing the last scan time, ransomware scan failure with scan time, and successful ransomware scan with the scan time
Search and Restore Page- Restore UI
The “Restore Location for Selected File” UI under the Search and Restore feature, also now display the information of the backup DataLock Mode and the status of the ransomware scan run.
Clicking the “Next” button will bring up a “Ransomware Scan” UI, which displays the “DataLock” mode, the previous scan time, and the result of the ransomware scan. It also shows a recommendation to run a ransomware scan before proceeding with the restore process. This is an optional scan, the user can uncheck to skip the ransomware scan.
Please try it out and let us know. In this blog , we haven’t covered every possible scenario, and we know that you’ll have questions and concerns, so please contact us on Teams Group.