How to recover after a Ransomware system attack ONTAP 9.

Recovering volume from a NetApp ONTAP 9 storage system after a ransomware attack can be a critical task. Here are the steps you should follow to initiate recovery:

1. Assess the Situation

·         Identify Impacted Volumes: Determine which volumes have been affected by the ransomware. Review logs for suspicious activities.

·         Isolate Affected Systems: Ensure that infected servers or clients are disconnected from the network to prevent the spread.

2. Check Snapshots

·         Access Snapshots: NetApp ONTAP maintains automatic snapshots of your volumes. Check if the snapshots were taken before the ransomware attack.

·         Review Snapshot Policies: Make sure your snapshot policies are configured to keep a sufficient number of recovery points.

3. Recover from Snapshots

·         You can revert the volume to a snapshot prior to the ransomware attack. Use the following command in the ONTAP CLI:

volume snapshot restore <volume_name> -snapshot <snapshot_name> 

 

Restore the contents of a volume from a Snapshot copy

If the volume has SnapMirror relationships, manually replicate all mirror copies of the volume immediately after you restore from a Snapshot copy. Not doing so can result in unusable mirror copies that must be deleted and recreated.

A.      List the Snapshot copies in a volume:

volume snapshot show -vserver SVM -volume volume

The following example shows the Snapshot copies in vol1:

clus1::> volume snapshot show -vserver vs1 -volume vol1

 

Vserver Volume Snapshot                State    Size  Total% Used%

------- ------ ---------- ----------- ------   -----  ------ -----

vs1 vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%

               daily.2013-01-25_0010   valid   92KB      0%    0%

               hourly.2013-01-25_0105  valid   228KB     0%    0%

               hourly.2013-01-25_0205  valid   236KB     0%    0%

               hourly.2013-01-25_0305  valid   244KB     0%    0%

               hourly.2013-01-25_0405  valid   244KB     0%    0%

               hourly.2013-01-25_0505  valid   244KB     0%    0%

 

7 entries were displayed.

B.      Restore the contents of a volume from a Snapshot copy:

volume snapshot restore -vserver SVM -volume volume -snapshot snapshot

The following example restores the contents of vol1:

cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010

1. SnapRestore is one of the fastest methods to restore a volume if the backup data exists as a local Snapshot copy in the volume.
2. You cannot use SnapRestore to restore an entire Snapshot to a separate volume.
3. If the volume is involved in a SnapMirror relationship, restoring to a Snapshot copy older than the SnapMirror baseline may fail.
• See Snapshot restore fails with error message: Failed to promote Snapshot copy snapshot-name
• If the restore results in the source and destination volume no longer having an in-common Snapshot, the relationship will need to be re-initialized to a new destination volume

·         Alternatively, you can create a new volume from a snapshot:

By using GUI System Manager

Restore after a system attack

1.       To restore from the ARP snapshot, skip to step two. To restore from an earlier snapshot, you must first release the lock on the ARP snapshot.

a.                     Select Storage > Volumes.

b.                     Select Security then View Suspected File Types.

c.                     Mark the files as "Potential ransomware attack".

d.                     Select Update and Clear Suspect File Types.

2.       Display the snapshots in volumes:

Select Storage > Volumes, then select the volume and Snapshot Copies.

3.       Select  next to the snapshot you want to restore then Clone.

By using CUI System Manager

Clone new volume after a system attack

cluster1::> volume clone create -vserver NASSVM -flexclone fc_vol_1 -type {RW|DP} -parent-vserver <vserver name> -parent-volume fv2 -parent-snapshot <snapshot name> -junction-path <junction path> -junction-active true -foreground true -comment " Restore after a system attack"

 

OR Restore a file from a snapshot on an NFS or SMB client

A user on an NFS or SMB client can restore a file directly from a snapshot without the intervention of a storage system administrator.

Every directory in the file system contains a subdirectory named .snapshot accessible to NFS and SMB users. The .snapshot subdirectory contains subdirectories corresponding to the snapshots of the volume:

$ ls .snapshot

daily.2017-05-14_0013/              hourly.2017-05-15_1106/

daily.2017-05-15_0012/              hourly.2017-05-15_1206/

hourly.2017-05-15_1006/             hourly.2017-05-15_1306/

Each subdirectory contains the files referenced by the snapshot. If users accidentally delete or overwrite a file, they can restore the file to the parent read-write directory by copying the file from the snapshot subdirectory to the read-write directory:

$ ls my.txt

ls: my.txt: No such file or directory

$ ls .snapshot

daily.2017-05-14_0013/              hourly.2017-05-15_1106/

daily.2017-05-15_0012/              hourly.2017-05-15_1206/

hourly.2017-05-15_1006/             hourly.2017-05-15_1306/

$ ls .snapshot/hourly.2017-05-15_1306/my.txt

my.txt

$ cp .snapshot/hourly.2017-05-15_1306/my.txt .

$ ls my.txt

my.txt

 

4. Check Data Integrity

·         After restoring from snapshots, it's essential to validate the integrity of the data. Check files and applications to ensure they are functioning appropriately.

5. Data Recovery Strategy

·         Use Backup Solutions: If snapshots are insufficient, consider using backups from a secondary solution (if available).

·         Consider SnapMirror: If you have configured SnapMirror for disaster recovery, you could use it to restore data from a remote site.

6. Enhance Security Measures

·         Update Security Protocols: Review and strengthen your security policies to prevent future attacks. This may include tighter access control and better monitoring.

·         Regular Backups: Ensure you have a robust backup strategy, including offsite backups.

7. Monitor and Audit

·         After recovery, monitor the environment for any unusual activity and perform audits to ensure no remnants of the ransomware remain.

8. Consult with Experts

·         If needed, involve your IT security team or external cybersecurity experts to assist with recovery and fortifying infrastructure.

Final Note

Ensure to document all actions taken during the recovery process for future reference and compliance purposes. Consider revisiting your disaster recovery plan to include specific actions against ransomware threats.