AWS Storage Blog

Protecting data against ransomware with Amazon FSx for NetApp ONTAP

Imagine running a large business with critical data stored on your servers. One day, your systems get hit by ransomware, leaving your data encrypted and inaccessible. The bad actor demands a hefty ransom to provide the decryption key. Paying the ransom doesn’t guarantee that you can get your data back, and not paying might mean losing that critical data forever. This is not a position any business wants to be in.

Fortunately, if you’re using Amazon FSx for NetApp ONTAP, you can use features such as Snapshots, SnapLock, and the FPolicy to provide additional layers of protection for your data and recover quickly.

In this post we will cover FSx for NetApp ONTAP features including; FPolicy Native mode, External mode, Snapshot, and SnapLock in FSx for ONTAP which provides a robust defense against ransomware, facilitating both data recovery and protection. We will also learn how these features can help shield you against ransomware threats.

Understanding ransomware and data protection

Ransomware is a type of malicious software that encrypts a victim’s files or locks them out of their system, demanding a ransom payment for the decryption key or system access. This can have devastating effects on businesses, especially those without an effective data protection strategy in place. To improve cybersecurity risk management, we can reference NIST Cybersecurity Framework and the five key pillars: Identify, Protect, Detect, Respond, and Recover.

In this post, we discuss how the features and integration of FSx for ONTAP can align with the key pillars. In particular we focus on Protect, Detect, Respond, and Recover. Table: 1 provides an overview of FSx for ONTAP features and integrations aligned to the NIST Cybersecurity Framework.

FSx for ONTAP features and integrations aligned to NIST Cybersecurity FrameworkTable 1: FSx for ONTAP features and integrations aligned to the NIST Cybersecurity Framework

What is FPolicy?

NetApp FPolicy is a framework designed to notify file access. This allows administrators to monitor file interactions over Server Message Block (SMB) and NFS v3 and v4.0. FPolicy operates in two modes: Native and External.

FPolicy Native Mode introduction

Native FPolicy’s File Blocking feature enables the creation of denylists or allowlists for specific file types. This feature becomes invaluable when dealing with known ransomware that use particular file extensions after encrypting data. A case in point is the WannaCry virus (.wncry). Native FPolicy can block these files from being stored on the storage system with a denylist.

Prerequisites

To use FPolicy Native Mode, you should have basic knowledge of ONTAP and administrative access to your FSx for ONTAP file system. You should also have access to at least one storage virtual machine (SVM), with at least one volume or share under the SVM for testing. You should also have access to a Secure Shell (SSH) console to manage the file systems using the NetApp ONTAP CLI.

Steps for creating a denylist

The following example shows how to create a denylist from the command line interface (CLI).

This example uses an SVM named svm02-cifs that has joined an Active Directory and a Common Internet File System (CIFS) volume named vol_fp

1. Create a new FPolicy event and specify the SVM that it runs against, the file protocol (NFS or SMB/CIFS), and the types of file operations to which it applies.

FsxIdXXXX::> vserver fpolicy policy event create -vserver svm02-cifs -event-name denylist -protocol cifs -file-operations create,open,write,rename
 

FsxIdXXXX::> vserver fpolicy policy event show -vserver svm02-cifs -event-name denylist -instance

                            Vserver: svm02-cifs
                              Event: denylist
                           Protocol: cifs
                    File Operations: create, open, write, rename
                            Filters: -
Send Volume Operation Notifications: false

2. Create a new policy and direct it to use the event that you created in Step 1. Also specify which FPolicy engine (Native or External) to use.

FsxIdXXXX::> vserver fpolicy policy create -vserver svm02-cifs -policy-name block_ext -events denylist -engine native

FsxIdXXXX::> vserver fpolicy policy show -vserver svm02-cifs -instance -policy-name block_ext

                        Vserver: svm02-cifs
                         Policy: block_ext
              Events to Monitor: denylist
                 FPolicy Engine: native
Is Mandatory Screening Required: true
        Allow Privileged Access: no
User Name for Privileged Access: -
    Is Passthrough Read Enabled: false

3. Assign the file scope. Specify in ONTAP which file extensions to block (in this case, the WannaCry virus and the extension .wncry, as well as .encrypted, .mp3, and .mp4). Furthermore, specify the policy to which it applies and which file shares or exports to include in the policy. The following case specifies all shares to be included with “*” to apply the policy to all shares using the SMB/CIFS protocol. For the NFS protocol, you use “volumes-to-include”.

FsxIdXXXX::> vserver fpolicy policy scope create -vserver svm02-cifs -policy-name block_ext -file-extensions-to-include wncry,encrypted,mp3,mp4 -shares-to-include "*" 
FsxIdXXXX::> vserver fpolicy policy scope show -vserver svm02-cifs -instance -policy-name block_ext
                   Vserver: svm02-cifs
                    Policy: block_ext
         Shares to Include: *
         Shares to Exclude: -
        Volumes to Include: -
        Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: wncry, encrypted, mp3, mp4
File Extensions to Exclude: -

4. Enable the policy and place the appropriate priority if you’re configuring multiple policies.

FsxIdXXXX::> vserver fpolicy enable -vserver svm02-cifs -policy-name block_ext -sequence-number 1

FsxIdXXXX::> vserver fpolicy show -vserver svm02-cifs
                                      Sequence
Vserver       Policy Name               Number  Status   Engine
------------- ----------------------- --------  -------- ---------
svm02-cifs    block_ext                      1  on       native

5. Verify the configuration by using the vserver fpolicy policy scope.

FsxIdXXXX::> vserver fpolicy policy scope show -vserver svm02-cifs -instance -policy-name block_ext

                   Vserver: svm02-cifs
                    Policy: block_ext
         Shares to Include: *
         Shares to Exclude: -
        Volumes to Include: -
        Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: wncry, encrypted, mp3, mp4
File Extensions to Exclude: -

6. Test the behavior by creating or renaming the file to .encrypted or other denied extensions, and also by moving files with denied extensions from another location to the share.

The expected behavior is an access denied error to prevent this type of action from being completed, as shown in the following Figures 1/2/3.

Figure 1: Access denied error message

Figure 1: Access denied error message

igure 2: Dragging and dropping unwanted file into the share

Figure 2: Dragging and dropping unwanted file into the share

Figure 3: Access denied error for dragging and dropping

Figure 3: Access denied error for dragging and dropping

Use cases of FPolicy Native mode

FPolicy can be useful in multiple situations. For example, you can gather and apply a list of ransomware extensions to a denylist. This allows FPolicy to help prevent the ransomware from spreading.

On the other hand, if you know exactly what types of files should be in your NFS exports or SMB/CIFS shares, then you can set up an allowlist. For example, if a share should only contain .pdf files, then you can allow only the .pdf extension and block all others. This makes the share resistant to ransomware that changes file extensions after encrypting files.

To achieve the allow list, you can use -file-extensions-to-include "*" with -file-extensions-to-exclude pdf to allow only the excluded file extensions to be “create,open,write,rename” to the shares.

FsxIdXXXX::> vserver fpolicy policy event create -vserver svm02-cifs -event-name allowlist -protocol cifs -file-operations create,open,write,rename
FsxIdXXXX::> vserver fpolicy policy create -vserver svm02-cifs -policy-name allow_ext -events allowlist -engine native
FsxIdXXXX::> vserver fpolicy policy scope create -vserver svm02-cifs -policy-name allow_ext -file-extensions-to-exclude pdf -file-extensions-to-include "*" -shares-to-include "*"
FsxIdXXXX::> vserver fpolicy enable -vserver svm02-cifs -policy-name allow_ext -sequence-number 1

FPolicy External mode

In addition to the FPolicy Native mode, FPolicy External mode integrates with an FPolicy server that operates externally to the FSx for ONTAP file system. The capability of the third-party FPolicy server is different per product (e.g. NetApp Cloud Insights Storage Workload Security, Varonis DatAdvantage, etc.). Typically, the integration is particularly useful in ransomware protection due to its ability to use Advance Threat Detection and User Behaviour Analytics (UBA), powered by artificial intelligence (AI) and machine learning (ML), to stop ransomware events without previous knowledge of the ransomware extension. These products typically also provide capability on automated responses by blocking malicious users or accounts and initiating additional snapshot copies. These contribute to the “Detect” and “Respond “in the NIST framework. To learn more about the capability of different products, visit the product pages.

What is a snapshot?

FPolicy Native and External mode allows us to enhance protection against ransomware that relies on file extensions to operate. We also set up detective measures so that we can monitor suspicious user and storage behavior. However, applying protective and detective measures are not enough. Therefore, we always recommend the user has a recovery measure, such as Snapshots.

A snapshot is a point-in-time copy of a volume. Snapshots in FSx for ONTAP are a fast and space-efficient way to protect data from accidental deletion, modification, and ransomware events. This is particularly useful because it minimizes data loss and reduces the recovery time.

  • Quick and negligible performance penalty: Snapshots are created almost instantly with a concept known as redirect-on-write (ROW). You can create a snapshot within seconds without affecting your system’s performance.
  • Reduced downtime: Since snapshot data resides within the same file system, data recovery is fast and does not require data movement. This permits the restoration of extensive amounts of data, even terabytes, in a matter of seconds, thus decreasing your business’ downtime.
  • Cost-efficient: Snapshots provide a cost-efficient way to protect your data. Only the parts of the data that have changed since the last snapshot take up storage space. This enables you to create multiple point-in-time copies of the same volume with little impact on storage consumption.
  • Self-service restoration: Snapshots empower users with the ability to view and restore specific files or folders from a previous point in time. This allows for a reversal of changes and comparison between file versions. In case of a system failure, data can quickly be restored to a previous snapshot, thus minimizing data loss. To learn more about how to restore data from a snapshot, see the official AWS documentation.

Protecting FSx for ONTAP Snapshots from malicious and accidental deletion

Snapshots play a critical role in point-in-time recoveries, thus it’s essential to safeguard them from being tampered with during a ransomware event. Although snapshot copies are read-only and immune to ransomware tampering, they could still be deleted. Therefore, we need to take precautions to avoid accidental and malicious deletion of the snapshots. The following settings can help secure your snapshots:

1. Snapshot Retention Period within Snapshot Policies

The default Snapshot Policy maintains six hourly snapshots, two daily snapshots, and two weekly snapshots. If a ransomware infection is detected too late, it might have begun its activity two weeks ago, thus affecting all existing snapshots. Therefore, maintaining an appropriate snapshot retention policy is crucial. For guidance on creating custom snapshot policies, you can refer to this post and the official AWS documentation.

2. Disable Snapshot autodelete

An autodelete policy can be established to automatically delete snapshots when the amount of available space in your volume is running low. Although this can be beneficial for space management, snapshots can be deleted unintentionally. To avert this, make sure that the Snapshot autodelete feature is either disabled or configured to trigger based on ‘Snapshot reserve’ (snap_reserve).

3. SnapLock helps prevent manual snapshot deletion

SnapLock can be used to guard against the manual deletion of snapshots by an administrator due to human error, rogue admin activity, or stolen credentials. SnapLock protects your files by transitioning them to a WORM state, which helps prevent modification or deletion for a specified retention period. With SnapLock Compliance, files transitioned to WORM on a Compliance volume cannot be deleted until their retention periods expire, even by privileged users. This creates an immutable volume that helps prevent files and snapshots from being modified or deleted. For more information about SnapLock, visit the official AWS documentation on SnapLock.

Conclusion

Using the combined power of FPolicy Native mode, External mode, Snapshot, and SnapLock in FSx for ONTAP provides a robust defense against ransomware, facilitating both data recovery and protection. The FPolicy Native mode allows you to establish Allow/Deny lists for file extensions, thereby minimizing unwanted files from populating the volume. The FPolicy External mode enables integration with third-party solutions that monitor user and storage anomalies and initiate automated responses. And finally, snapshots enable the creation of multiple point-in-time recovery points, offering the capability to rapidly restore data.

We’ve discussed strategies and factors that influence snapshot availability. It’s crucial to maintain a sufficient number of snapshots through an adequate snapshot retention policy and to safeguard these snapshots from accidental deletion with appropriate settings for Snapshot autodelete and SnapLock.

Employing these features can enhance an organization’s ability to secure its data and expedite recovery in the event of a ransomware event, thus aligning to the NIST Cybersecurity framework. To learn more about these features, visit the official AWS documentation section on protecting your data and the NetApp ONTAP command docs regarding FPolicy.

Benjamin Hui

Benjamin Hui

Benjamin Hui is a Solutions Architect specializing in Financial Services and Quantitative Trading customers. He collaborates with financial institutions to design and architect resilient and high-performance solutions. With a background in data storage and digital banking, Benjamin has extensive experience in designing and implementing cloud-native solutions for FSIs, including banks, FX brokers, high-frequency traders, and market makers. He focuses on delivering tailored cloud solutions to meet the unique needs of his customers.