Mitigating the Ransomware Risk with Netwrix Auditor for NetApp

All known ransomware attacks, including Cryptolocker in 2013-2014 and Wannacry in 2017, follow the same pattern: The ransomware gets into the system by tricking a user with malvertisements or phishing emails. By exploiting system vulnerabilities, it takes over the user’s account, and then it encrypts all the files it can reach using the account’s privileges, both on the local computer and on any accessible shared storage.

Understanding this pattern reveals several things you can do on the data management side to mitigate the risk of ransomware before, during and after an attack.

Proactively Minimizing Your Attack Surface

Since ransomware works by taking over a user’s account, it can encrypt only the files that user has permissions to change. Therefore, the first step in ransomware protection is to limit the damage any user account can do by assigning permissions strictly on a need-to-know basis. This is called the least-privilege principle, and it was established as a security best practice long before ransomware came on the scene.

Netwrix Auditor for NetApp reports on permissions granted to shared resources and spots excessive access permissions that can be painlessly taken away from users in order to reduce your attack surface.

Excessive Access Permissions report from Netwrix Auditor: Account, Permissions, Means Granted and Time Accessed

Identifying Attacks in Progress and Limiting the Damage

Once it is on your NetApp, ransomware will quickly encrypt all files it can get to using the victim’s account. To be able to respond in time to limit the damage, you need to constantly look for signs of ransomware activity, such as a massive number of changes to files on your NetApp filers, including those running NetApp Data ONTAP, performed by one user within a short period of time.

Netwrix Auditor for NetApp provides intelligent reports that help you spot anomalous spikes in file activity and pinpoint the user accounts behind them. You can even get notified about suspicious activity patterns by setting up custom threshold-based alerts.

Netwrix Auditor Alert on Possible WannaCry ransomware activity

The reports and alerts both provide the details you need, including the name of the user account and the workstation, to quickly isolate the compromised account from your network and thereby prevent the ransomware from doing further damage.

Recovering from an Attack Faster and with Less Effort

Recovering from a ransomware attack, even one that is only partially successful, can be exhausting — unless you have a tool that can do much of the work for you. Netwrix Auditor makes it easy to determine the scope of damage so you know exactly which files to restore. Simply use the Interactive Search feature to create a custom report showing certain activity, such as removed, renamed and modified events, performed by the victim’s account during the timeframe of the attack. Restoring just the data that was affected will take less time and be less disruptive to the business than restoring a full backup.

Interactive Search feature from Netwrix Auditor: Who, Object type, Action, What, Where and When