Nutanix says its Files v4.1 release provides a large spectrum of ransomware protection capabilities for Unified Storage customers, claiming it’s a turnkey anti-ransomware product that will roll out to its current Nutanix Files customers.
Ransomware, it says, will cost businesses around $265 billion annually by 2031, when Cybersecurity Ventures expects a new attack every two seconds. Nutanix Files has integrated ransomware protection and Files 4.1 has ransomware detection and WORM support. A so-called full spectrum of ransomware protection is delivered by Files in conjunction with Nutanix’s Data Lens, a SaaS-based data analytics management plane offering.
We contacted sources close to Nutanix and found out that ransomware detection is based on Nutanix’s own scanner looking through a file system for known ransomware signatures, almost 5,000 of them, obtained from a third-party, crowd-sourced database. If a ransomware pattern is found, alerts can be sent out. Options include full file system recovery, through one or more file shares recovery, down to individual file recoveries.
Two other things come into play here. One, there have to be earlier clean versions of files to recover from and, two, there has to be a way of finding the scope of an attack, finding affected files, and deciding what to do. The earlier clean versions of files can be created in three ways:
- SSR (Self-Service Restore) snapshots enabling end-users to access previous read-only versions of their files
- Backups by third parties such as Commvault, HYCO and, soon, Veeam
- Replicas – share-level replication of snapshots between file server instances for disaster recovery
The Data Lens service can look at what individual users are doing with individual files. A ransomware attack will often penetrate a customer’s systems through an email attack and so compromise a particular users and their machine, a laptop or desktop. It will then start encrypting files in that user’s share. This pattern of activity, different from the user’s normal activity level, can be detected through the Data Lens by setting up policies to alert admin staff if anomalous behavior happens, such as exceeding a threshold level of file system write access activity in a period of time.
If anomalous patterns are detected, a user can be restricted to read-only file access or even locked out. Alerts can be sent to whomever needs contacting and Data Lens facilities used to size and scope the attack.
The obvious risk here is that you get false positives, but judicious policy-setting can help reduce these.
Nutanix and its customers are relying on skilled admin staff setting up policies and procedures that reflect an organization’s structure, culture, and risk level. Nothing is 100 percent foolproof; risk reduction is what’s being offered here.
There isn’t a dedicated anti-ransomware structure within Data Lens – no anti-ransomware module as it were. Instead its features can be used, in conjunction with file system scanning, to provide a system that can detect ransomware attacks and help the user recover from them by restoring last known good versions of files.
Data Lens looks at all the storage options in Nutanix‘s Unified Storage and we can expect that the features in Files 4.1 will be rolled out as appropriate to Nutanix Volumes (block) and Nutanix Objects.