Get Rid Of Ransomware: The NetApp holistic approach to ransomware recovery

ATechCom HK
9 min readFeb 14, 2022

As with any security incident or ransomware attack, there will be a before, during, and after. In the world of data protection, there is a lot of focus on recovery, especially recovering encrypted virtual machines from backups.

Here comes our final stage of the Ransomware protection series Phase 3 — Recover.

Ransomware Recovery

In this article, I will cover what happened after the ransomware attack. Hopefully, you are prepared to “detect” and “protect” an attack by following the necessary ransomware recovery steps. Here, I’ll discuss the next steps when you’re back online, minimize overall costs to your organization, reduce reputational damage and alert the right people. Let’s focus on how we remediate, how Cloud Insights forensics data breaches and audits, and how ONTAP provides rapid recovery capabilities.

What is ransomware recovery?

Ransomware data recovery is the process of bringing IT systems back online after a ransomware attack. Recovery can be simple, and it can follow many of the existing disaster recovery processes you have today, provided your disaster recovery plan is well documented and thoroughly tested.

In the event of a ransomware attack, an effective response plan can mean the difference between panic and decisive action. This can mean the difference between a controlled incident and a company-wide infection; the difference between a permanent shutdown and quick remediation.

Generally, people’s first reaction to a ransomware attack may be to restore their data immediately. The point is, if you want to stop the chance of reinfection and not waste your precious time, you have to take extra steps to make sure the ransomware doesn’t come back. Therefore, here are three steps to remediate your environment from ransomware infection with NetApp ONTAP.

Three effective steps NetApp remediate your environment properly and holistically from ransomware infection.


Ransomware Recovery Step 1 — Contain/Isolate

Let step by step expand the whole ransomware process. It usually starts with mistakenly clicking on on malicious links and leads to the installation of ransomware. They always happened on the client-side! After ransomware installation, The ransomware will encrypt the local file system then continue to spread to any file share it can find throughout the network.

To contain the outbreak, you must identify and isolate infected clients by disconnecting from the network.

You may use any means you typically use to monitor file share access when accomplishing the identification process. We are suggesting the ONTAP for SMB shares with two CLI options that can be used for monitoring access to an NFS share on an ONTAP system. In order to clean up the infection and move to the next step, It is recommended that you use antivirus and antimalware software to clean up after a ransomware attack. Read more on Microsoft Management Console (MMC) plug-in with ONTAP for SMB shares and Using Windows MMC with ONTAP.

Ransomware Recovery- Prepare

Ransomware Recovery Step 2 — Prepare/Patch

Preparation is crucial. In addition to being mistakenly clicked from the client, the ransomware used known vulnerabilities to get installed and started causing issues repeatedly in the first place. Patches are often available for these vulnerabilities, but software patches have not yet been applied to client computers. However, many systems remain unpatched. In this preparation phase, the key is to remove and clean the infection and patch the client as soon as the vulnerability is discovered and a patch is available.

If you were to disconnect and clean infected clients, but not patch them, the client system would most likely be re-infected with the same ransomware very quickly. That’s why it’s critical to remove and clean the infection and patch the client once a vulnerability is discovered and a patch is available.


After you’ve made sure to run steps 1 and 2 in parallel, the client machines will be cleaned and patched. And it’s likely that systems won’t be reinfected with the same ransomware very quickly. You can put them back on the network and it takes you back to where you were before the infection.

Ransomware recovery

Ransomware Recovery Step 3 — Recover/Restore

The last step is to recover your data that has not yet been infected.

The final step is to recover data that has not yet been infected. You may choose to perform this step earlier if you want to quickly get your data back online.

For example, if encrypted data is critical to your business operations and if you can quickly isolate all infected clients from the network, it might make sense to restore data as soon as possible before cleaning and patching those clients.

During this recovery step, it is critical to identify backups that are not infected with ransomware and should be a waste of time. However, if you are using NetApp ONTAP Snapshot™ copies, you only need to restore the data once because those snapshots are read-only and unaffected by ransomware.

Ransomware Recovery: ONTAP recovery capabilities

After performing these three steps, you can recover your data safely and successfully. During these recovery steps, it is critical to identify backups that are not infected with ransomware and it should be a waste of time.

While many other vendors use copy-on-write snapshots, ONTAP Snapshot copies are different. If you’re using NetApp ONTAP Snapshot™ copies, you only need to restore your data once because these snapshots are read-only and unaffected by ransomware. Let’s take a look at the significant value that NetApp snapshots can provide compared to backup and recovery solutions from other vendors.

ONTAP Snapshot™ recovery in seconds

ransomware attack

Everyone knows that the fastest way to recover from a ransomware attack is from a backup. It sounds simple, but the actual recovery process can be slow and complicated. The larger the amount of data encrypted by a ransomware attack, the longer the recovery process will take before you can regain access to all of your data.

Snapshot copies

To avoid the real cost of ransomware — your downtime, you can leverage the power of Snapshot copies across your ecosystem for disaster recovery, data archiving, and data tiering. ONTAP snapshot technology is different and it is the key to delivering fast recovery. They use file pointers, so you can restore terabytes of data in seconds.

This approach makes them ideal for fast recovery in NetApp file systems, providing you with tremendous value compared to backup and recovery solutions from other vendors. It also helps prevent valuable backup data from being deleted and protects your backups from ransomware encryption. For more information on the NetApp snapshot, please read Ransomware Protection: How would NetApp provide protection after ransomware being detected.

ONTAP Snapshot™ Resilient Retention Period

An appropriate snapshot retention policy is a value-added feature that you can employ when implementing snapshots to ensure that they are always available for recovery.

NetApp snapshots are read-only and cannot be infected by ransomware. However, you may want to make sure you keep a copy long enough to recover your data and avoid situations where ransomware is known to go dormant. While the ransomware is hibernating, you may have deleted all snapshots before the ransomware infection started because your snapshot retention period was not long enough and the recovery window was exceeded. A proper snapshot retention policy allows you to keep snapshots for months (or longer) and makes you more likely to recover from hibernating or slow-moving ransomware.

Controllable Snapshot Auto-Deletion

NetApp ONTAP allows you to turn off automatic snapshot deletion. Automatic deletion of snapshots should be a nice feature in the first place to prevent volumes from filling up all the time. However, during a ransomware attack, you would rather have a volume that is full and still contains a recoverable Snapshot copy, rather than just ransomware-encrypted data and the volume has no recoverable copies. Controlled snapshot auto-deletion prevents snapshots from being automatically deleted.


NetApp SnapLock Provides WORM Immutable Storage

In some cases, even though NetApp ONTAP allows you to turn off automatic snapshot deletion, administrators can still delete them manually. This can happen through human error, such as someone maliciously using stolen credentials or a disgruntled employee. Now, that’s where NetApp’s SnapLock® write-once, read-many (WORM) compliance solution comes into play. Once the file is written and committed to WORM state, it prevents changes to the file and makes the copy truly immutable. Please read our last article for more information on NetApp SnapLock®.

NetApp SnapLock

Active IQ Unified Manager — Ransomware protection best practices

NetApp Active IQ plays a role in ransomware protection.

Active IQ Unified Manager can help you prevent snapshots from being deleted by the system by setting the snapshot expiration time. In ransomware recovery, the ONTAP file system saves all encrypted data as well as the original unencrypted data in a Snapshot copy. This uses more storage space than normal and the volume space starts to fill up. You can configure automatic volume resizing to increase volumes that are almost full to prevent them from filling up. Additionally, you can use thresholds to set alerts when volumes are nearly full to keep everything safe.

Not only does Active IQ help close security breaches, but it also provides insights and guidance on ransomware protection. There is a Dedicated health card showing actions required and risks addressed, so you can be sure your system complies with these best practice recommendations. As you can clearly see, Active IQ ensures that your NetApp systems comply with best practices for fighting ransomware.

You may check out this on how NetApp Active IQ detects ransomware.

Conclusion: NetApp ONTAP® holistic approach to the whole ransomware recovery

It’s clear that ransomware is constantly evolving. Just as defense methods have improved, so have attack methods and vectors.

Using a portfolio of solutions that includes partners and third parties provides us with a layered defense. The NetApp solution differs from traditional solutions by providing a variety of effective ransomware recovery, ransomware detection, and ransomware recovery tools. Helps you understand, detect, and fix ransomware without costly downtime. Let’s review how NetApp ONTAP® provides an integrated approach to overall ransomware recovery.


Storage: NetApp ONTAP

  • NetApp snapshot technology. A Snapshot copy is a read-only image of a volume that captures the state of a file system at a point in time. These copies don’t take up a lot of storage space. In the event of an attack, volumes can be rolled back using Snapshot copies taken before infection.
  • NetApp FPolicy technology. When a file with a disallowed extension attempts an unauthorized operation, FPolicy would block the operation.
  • NetApp SnapRestore technology. SnapRestore data recovery software is useful for recovering from data corruption or just recovering file contents. This efficient recovery process helps bring the business back online quickly.
  • NetApp SnapLock technology. Files in SnapLock are stored in a non-erasable, non-rewritable state and cannot be deleted until the retention period expires. A user’s production data can be mirrored or stored to SnapLock volumes via NetApp SnapMirror or SnapVault technologies, respectively.
  • NetApp SnapCenter technology. SnapCenter provides an easy-to-use enterprise platform to securely orchestrate and manage data protection across applications, databases, and file systems. It makes it easier and faster to restore applications to a consistent state.

About ATech Communication (HK ) Limited

ATech is a Leading IT service provider in Hong Kong. Do you want to learn how you can further protect your organization with ATech’s leading IT solution? Check out our IT solutions webpage to email our experts for a free consultation.



ATechCom HK

Leading IT service provider in HK. We provide the best value, the most widely used system of quality products, customized solutions and services