NetApp ONTAP Ransomware Protection with Native FPolicy File Blocking

NetApp FPolicy is often associated with external FPolicy servers, however FPolicy has a native mechanism to block file extensions.  This method can also be used to block other unwanted file types (MP3 for example), but a user could rename an extension prior to write to circumvent the extension block.

It is good practice to keep local Snapshot copies, replicated Snapshot copies, backup, and also block known ransomware extensions.  Additionally, you can use other overlapping security mechanisms like auditing tools, anti-virus and firewall solutions.

A great reference for additional information is TR-4572.  The technical report has a list of known ransomware extensions, but does not give an example for a native block.  Below are the four steps to setup the native block.

The NetApp Solution for Ransomware

Click to access tr-4572.pdf

NetApp OnCommand Cloud Manager (OCCM) Cloud Volumes ONTAP (CVO) provisioning automates activation of Snapshot copies and FPolicy native blocking.

A screenshot of a cell phone

Description automatically generated

Common Ransomware Extensions (not limited to these)

  • .micro              .encrypted       .locked            .crypto
  • .crypt               .crinf               .r5a                  .XRNT
  • .XTBL             .R16M01D05 .pzdc               .good 
  • .LOL!              .OMG!            .RDM              .RRK
  • .encryptedRSA .crjoker          .EnCiPhErEd  .LeChiffre
  • ._crypt             Locky              .SUPERCRYPT .CTBL
  • .CTB2             .WNCRY        .ad4c .HD

How do you set this up on your ONTAP cluster?

CLI Example to create a native block in 4 steps

  1. Create the FPolicy event

fpolicy policy event create -vserver SVM1 -event-name ransomware_block -volume-operation false -protocol cifs -file-operations create,rename,write,rename-dir,read,create-dir,open

2. Create the FPolicy policy (using the events created in step 1)

fpolicy policy create -vserver SVM1 -policy-name ransomware_block -events ransomware_block -engine native -is-mandatory true

3. Create the FPolicy scope (using the policy created in step 2)

fpolicy policy scope create -vserver SVM1 -policy-name ransomware_block -is-file-extension-check-on-directories-enabled true -file-extensions-to-include micro,encrypted,locked,crypto,crypt,crinf,r5a,XRNT,XTBL,R16M01D05,pzdc,good,LOL!,OMG!,RDM,RRK,encryptedRSA,crjoker,EnCiPhErEd,LeChiffre,_crypt,Locky,SUPERCRYPT,CTBL,CTB2,WNCRY,ad4c,HD -volumes-to-include *

4. Enable the FPolicy

fpolicy enable -vserver SVM1 -policy-name ransomware_block -sequence-number 1

Test the Policy

When a file write of a blocked extension is attempted, the following error occurs.

A screenshot of a cell phone

Description automatically generated

When an existing file rename from .DOC to a blocked extension is attempted, the following error occurs.

A screenshot of a social media post

Description automatically generated

Final Note

I had a customer with telemetry data files with a “.good” extension, and they were unable to write files.  We modified the policy scope list to remove that extension.  Since this is a manual method, update the extension list when new known ransomware extensions are identified.