Everyone knows that the quickest way to recover from a ransomware attack is to restore from backup. It sounds simple enough, but the actual restore process can be complex, not to mention slow.

  • Has the backup data also been encrypted?
  • Are the backups that I need still there?
  • How much time will it take to restore the encrypted data?
  • Will restoring the data affect my production workload?

It’s important to answer all of these questions to avoid extended downtime (the real cost of ransomware) during the restore.

 

This is the sixth and final post in a blog series that discusses how you can detect and prevent ransomware by using native NetApp® ONTAP® features, recover quickly from an attack, and avoid paying the ransom. If you missed the previous posts:

  • The first entry covered the objectives of cybercriminals and the largest portion of the cost of a ransomware attack, which is not the ransom.
  • The second entry focused on ONTAP native tools that you can use for early detection of a ransomware outbreak.
  • The third entry took a deep dive into NetApp FPolicy® native mode, which helps prevent most older types of ransomware that are still prevalent today.
  • The fourth entry focused on how to prevent the most modern variants of ransomware, including “zero-day” exploits, by using FPolicy external mode.
  • The fifth entry highlighted the three key steps to successfully recover from a ransomware attack. I highly recommend reviewing it before reading this sixth entry.

This blog post focuses on ONTAP Snapshot™ technology and how it provides very rapid  restores (terabytes in seconds), protects your backups from ransomware encryption, and prevents deletion of valuable backup data. I’ll also show how you can leverage the power of NetApp Snapshot copies throughout your entire ecosystem for things like disaster recovery, data archiving, and data tiering.

 

First, let’s set the baseline about what snapshots are and how they can be very different from one storage vendor to another.

What are snapshots?

A snapshot is simply a point-in-time, read-only copy of your data. It represents exactly what your data looked like at the moment that the snapshot was taken, whether it was hours, days, weeks, months, or even years ago. Because Snapshot copies are read only, they can’t be infected by ransomware. You can appreciate how valuable this is for recovering from ransomware—you can simply restore from a snapshot that was taken before the attack occurred. As with most things, though, the devil is in the details.

 

Although snapshot technology has been around for decades, not all snapshots are created equal. If you’ve ever heard that snapshots are slow or cause performance issues, that may be because the snapshot technology in use was copy-on-write (COW). With COW, whenever there is a change to the active file system data, the original data is moved into a special snapshot area on disk, and the changed data is written back to where the original data was located. This requires a read of the original data and two writes: one write for the original data and another write for the changed data. You can see how this slows things down. When you restore this snapshot, you also need to wait for the original data to be copied from the special snapshot area to the active file system. This can be very time consuming and performance intensive, depending on how much data you are restoring.

 

ONTAP Snapshot copies are quite different.

Advantages of ONTAP Snapshot Technology

ONTAP Snapshot copies use a concept known as redirect-on-write (ROW), which has significant advantages over COW. ONTAP needs to write the new changed block only once and then update the active file system to point to the newly written block. As shown in the following figure, there’s no need to move data when creating a Snapshot copy.

It gets even better when you restore using an ONTAP Snapshot copy. The ONTAP file system simply updates the active file system pointers to reference the original blocks. This leads to restores of terabytes in seconds, because there’s no need for the file system to move the data. It’s incredibly fast. This is what the file system would look like after the restore.

Let’s recap. ONTAP Snapshot copies don’t have a performance penalty, and restoration of your data from a copy is insanely fast. At NetApp, we encourage you to turn on Snapshot copies and use them for backup. It’s part of the ONTAP core design. Since the release of ONTAP 9.4 two years ago, you can take 1,024 copies per volume.

Making ONTAP Snapshots ransomware resilient

Let’s take a look at the best way to use ONTAP Snapshot copies to recover from ransomware.

 

As I mentioned earlier, snapshots are read only and can’t be infected by ransomware. There are a few steps that you can take when implementing snapshots to make sure that they’re always available for recovery.

  • Snapshot retention period. Have an adequate snapshot retention policy to make sure that you’re keeping copies long enough to recover your data. You may not detect ransomware right away, and it has been known to lie dormant. If your snapshot retention period is not long enough, you might have deleted all of your snapshots from before the start of the ransomware infection and be past the recovery window. Ideally, keeping a few months (or more) of snapshots should make it much more likely that you’ll be able to recover from dormant or slow-moving ransomware.
  • Snapshot autodelete: Make sure that snapshot autodelete is turned off. Ransomware creates a high rate of change for your data because it encrypts the file system. The ONTAP file system holds all of the encrypted data plus the original unencrypted data in Snapshot copies. This uses more storage than normal, and volume space begins to fill up. Although snapshot autodelete is a great feature to keep volumes from filling all the way up, during a ransomware attack you would rather have a volume that’s full and still includes recoverable Snapshot copies than a volume with only ransomware-encrypted data and no recoverable copies. You can configure volume autosize to grow volumes that are nearly full to prevent them from filling up. When the volume is nearly full, you can set up an alert using thresholds, as described in the Active IQ Unified Manager 9.7 Workflow Guide for Managing Cluster Health.

You can also prevent snapshots from being deleted by the system by setting the snapshot expiration time. For example, to set the year 2030 as the expiration date for all snapshots on SVM1, this is the command:

 

cluster1::> snapshot modify -vserver SVM1 -volume * -snapshot * -expiry-time “12/31/2030 12:00:00”

 

  • Snapshot autodelete prevents snapshots from being deleted automatically, but they can still be deleted manually by an administrator. This can happen through human error, or a disgruntled employee, or someone maliciously using stolen credentials. This is where NetApp SnapLock® comes into play. SnapLock is NetApp’s write once, read many (WORM) compliance solution that prevents changes to files once they are written and committed to WORM state, making the copies truly immutable. There are two license versions: SnapLock Compliance (SLC) and SnapLock Enterprise (SLE). For ransomware protection, NetApp recommends SLC because it prevents even ONTAP administrators from deleting Snapshot copies and enables you to set the specific retention period during which those copies are locked and cannot be deleted. Learn more about SnapLock in Technical Report TR-4526, Compliant WORM Storage Using NetApp SnapLock.

NOTE: SnapLock is supported only for NAS workloads; it cannot be used with Snapshot copies that contain LUNs.

 

Remember that Snapshot copies are just like traditional backups (although they restore a lot faster) and should be treated like a backup. Make sure that they:

  • Go back far enough (retention period)
  • Can’t be destroyed (turn off autodelete and use SnapLock)

If a ransomware attack occurs and your recovery Snapshot copies are deleted, you should immediately contact NetApp Support. The Support team can recover recently deleted Snapshot copies within a very short timeframe, typically less than 24 hours. To win the battle against ransomware, though, you need to consider more than just maintaining local Snapshot copies for backups.

An ecosystem approach to ransomware recovery

You may have heard someone say, “I have a DR site, so I already have a backup.” However, if your DR site has data replicated to it from the primary site, then after a ransomware attack, you’ll end up with encrypted data at both sites. This is just one example of why you need a comprehensive ecosystem strategy for ransomware recovery. For example, this diagram shows what a typical approach across your organization might look like.

  • SnapMirror® on the primary system is used to send active data and local Snapshot copies to a DR site in a secondary data center.
  • SnapVault® is used to move copies to a local FAS hybrid-flash system with NL-SAS disks for longer-term retention of Snapshot backups on a system that offers lower total cost of ownership (TCO) than the high-performance primary ONTAP cluster.
  • StorageGRID® object storage can be used to tier Snapshot data from both primary and secondary systems for even lower TCO.
  • SnapMirror and SnapVault can additionally be used for replicating data to a cloud environment using Cloud Volumes ONTAP in a public cloud provider (AWS, Microsoft Azure, and Google Cloud).
  • NetApp SnapCenter®, Active IQ®, Unified Manager, and Cloud Manager can all be used to manage your ecosystem simply and efficiently

For more information on SnapMirror and SnapVault, see the Data Protection Power Guide.

 

These features all leverage the power of ONTAP Snapshot technology, ensuring that you have efficient ransomware restoration capabilities, no matter where that data resides throughout your entire ecosystem.

Putting it all together

ONTAP Snapshot technology is just one part of an overall strategy to fight against a ransomware attack and recover quickly. The restore methodology is crucial, but you still need to have a solid detection and prevention strategy, which we covered in blogs 2, 3, and 4.

 

Ransomware will continue to evolve in the future. NetApp is committed to further strengthening our ransomware solutions to help you keep your data safe. Stay tuned to this NetApp blog site as we continue to update you with the latest information about ransomware and what you can do to fight back against it.

 

For more information about the NetApp solution to ransomware, check out our technical report TR-4572: The NetApp Solution for Ransomware. Plus, do you want to learn how you can further protect your organization with NetApp’s leading security portfolio? Check out the ONTAP Security webpage for information on using a data-centric, zero-trust approach to security, evaluating your security readiness, encrypting your data at rest or in flight, and more.

 

This is the final installment of the current blog series on fighting back against ransomware, and I hope that you now feel empowered. You can avoid costly downtime—and you don’t have to pay the ransom when you have a ransomware strategy in place that’s based on the leading capabilities that are built in to NetApp ONTAP.

Matt Trudewind

Now on his 2nd tour at NetApp across 8 years, Matt is a Senior Technical Marketing Engineer with a primary focus on ransomware prevention and recovery as well as portfolio Security. This includes but is not limited to Data Governance, Data Privacy Frameworks, Security Tools, and Security Best Practices. Prior to this role he was a Staff Engineer focused on ONTAP product Supportability specifically in the areas of networking and SMB/CIFS. In between NetApp stints Matt worked with a NetApp partner (Eze Castle Integration) for 7 years as pre sales/post sales storage architect focusing on early 7-mode to cDOT migration. He has also focused on Microsoft Windows Active Directory, Exchange, SQL and VMware during his 21 years of IT experience with 15 of those years coming in the storage industry. Prior to NetApp and ECI, he also worked a contract at Microsoft as a Technical Support Engineer.

Add comment