CryptoSpike - NetApp Ransomware Protection
Most ransomware attacks happen when files get compromised and your NetApp file shares are among the most vulnerable parts of your organization. File shares are where end users meet the data center most directly, and most ransomware comes through the front door via interaction with end users.

CryptoSpike was designed to work with NetApp ONTAP file systems, monitoring every action your users take to protect you from vulnerability to ransomware. As part of the ransomware monitoring, CryptoSpike also provides a user and file audit trail.

RestoreManager - NetApp File Catalog
Many IT admins have had their day ruined by users asking a simple question: “Where did my file go?” It’s a common request: users delete files by mistake, drag and drop them into the wrong sub-directory, overwrite a new file with an old one, and so on.

It’s easy to understand the problem, but not so easy to solve it. In NetApp file environments, there is no central file catalog that lets you easily find and restore one or more files. All you can do is spend time looking for the file needle in the storage haystack, or – as often happens – simply deny the recovery request.

How CryptoSpike Works
CryptoSpike uses a multi-pronged approach to detect ransomware.

It begins with a Block List that includes thousands of ransomware file endings or names. Updates are made every day and downloaded to the CryptoSpike server.

The Pass List is a set of allowed file extensions, such as .doc or .pdf. If a new, unknown file ending is detected, it is blocked. The initial pass list is generated via a scan of your current files.
The most important component is the Learner module. The Learner tracks user behavior and determines allowable file transactions (e.g. read, write, open, etc.). If any anomalous behavior is detected, the user is blocked. For example, if User A suddenly writes to dozens of files in a few seconds, this behavior is recognized as outside of normal patterns, and the user’s write access is blocked.
Different strategies can be applied at different levels in the file hierarchy. One policy can be applied across the NetApp cluster, or different policies can be applied at the level of Storage Virtual Machine or even file share. For instance, you may white list different file types for a developer share than for a marketing share. This multi-technology approach helps you tighten your NetApp security, decreasing vulnerability.
How RestoreManager Works

RestoreManager creates a central file index of every NetApp snapshot, giving you a single catalog-based view into your files. You can search snapshots using multiple criteria and restore files and folders right with a single click and see detailed file analytics. RestoreManager indexes both primary and secondary storage given primary snapshots are usually only maintained for a few days. By also indexing SnapMirror and SnapVault destination volumes, you can find older versions of files that have been moved off your primary storage.

Immediately after a new Snapshot of a volume has been generated, RestoreManager uses the SnapDiff API to gather the relevant metadata from the files and folders and loads this data to its central database. Searching is now easy with this central index in place. A single click restores the files you find to a specific folder or to their original location.

Additional CryptoSpike Features

File Audit Trail

With CryptoSpike, you can easily examine user behavior down to the level of files and folders. Reports will show you user activity in terms of file opens, closes, deletes, writes and so on. This provides you with definitive information that a volume, folder, file, etc. was accessed by a given user.

Alarms and Real-Time Blocking

CryptoSpike works together with the NetApp FPolicy server to enforce the blocking decisions made by CryptoSpike. If ransomware is detected by the Learner module, the relevant user will be changed to having read-only access, which stops them from further spreading the ransomware. CryptoSpike lets you know which files have been affected, allowing you to do targeted recoveries, rather than having to roll-back an entire folder or more.

IT security can then be alerted about the infected user and suitable steps taken to disinfect their system.

Additional RestoreManager Features

Flexible Choice of Indexing Strategy

RestoreManager can selectively index primary systems only, secondary systems only, or both. The choice is up to you and it depends on your file recovery requirements.

Solution Architecture

RestoreManager supports all versions of the ONTAP operating system for NetApp primary storage systems. For NetApp SnapVault and SnapMirror targets, RestoreManager works with ONTAP and NetApp Cloud Backup.

RestoreManager uses the Elasticsearch database, an open source solution that has excellent scalability, performance, load balancing and availability.

Data Analytics

RestoreManager also includes a full Kibana dashboard for creating data analytics reports. Data reporting is included at no additional cost.