Correct configuration of Nasuni Access Anywhere (NAA) with Nasuni Ransomware Protection (NRP) is key in identifying and isolating users compromised by ransomware. NRP’s Incident Mitigation policy automatically blocks IP addresses – including NAA servers – identified as the source of a ransomware attack from connecting with your Nasuni Edge Appliance. Thus, other users and applications of the NAA servers might also be blocked. Follow these steps to isolate the compromised user, restore your data, and get your team back on track safely with just a few clicks.

Getting Started with Settings

Tip: Cloud Sync use cases may require adjustments to the default thresholds due to the fact that these workloads can involve many files being created in a short period of time when a synchronization occurs. Nasuni recommends starting with the default Incident Creation Confidence Level and only adjusting it if Incidents are generated due to legitimate Cloud Sync operations.

In NAA, enable or edit audit events. Click the Organization tab to navigate to Policies, then select Security from the left navigation menu.

Scroll down to the audit section at the bottom of the page and select events to log by adding check marks to the desired tick boxes.

Note: Ensure that "File Add/Update" remains enabled.

Establish DNS Pointer Records (PTR) to help identify the source of the ransomware incident. Create PTR records for your NAA server(s) to aid in linking the IP address blocked by the mitigation policy to a specific NAA server. Consult your DNS server’s documentation for instructions on how to configure a reverse lookup zone and PTR records.

In the NMC, Configure your notification settings to enable email alerts, SNMP monitoring, and Syslog Export and notifications. Guidance can be found in Chapter 10 of the NMC Guide.

Recovering From an Attack

In the NMC, view the NRP Incident Management page, click the Cyber Resilience tab, followed by the Incident Management option on the left. The shield icon indicates that the system has proactively responded to an attack by blocking at least one client.

To determine if the blocked client is an NAA server, click the report icon to access the NRP Incident Report. Make a note of the user name and client IP address associated with the event. Check if the IP address is assigned to an NAA server.

Note: The NRP ransomware_violation log file located in the .nasuni/ransomware_violations directory at the Root of the volume allows you to identify the compromised user SID, source IP, and all impacted files.

Log into the NAA web app as an Organization Admin. Click Users under the Organization tab. Use the filter or search function at the top of the page to find and select a user. Click the pencil icon to open the user's permissions page.

Use the pencil icon in the left side User Data pane to allow edits to the user's permissions. A dialog box will appear where you can toggle to remove the check mark from the active tick box, and click Update user data to disable the user.

In the NMC, click the Cyber Resilience tab, then click Blocked Clients. Check the tick box to the left of the client you would like to unblock.

Click Unblock Client in the dialog box that appears.

In NAA, click the Audit Event Logs under the Organization tab. Use the filters in the left side search pane to narrow your search. Click a log to reveal the type, user name, user login, time stamp, IP address and tool. Look for matches based on username or file name to identify the compromised device.

Refer to Recovering from Ransomware using Nasuni for further steps on restoring your data to a specific version.

Nasuni Ransomware Detection is a feature of the Nasuni Ransomware Protection add-on service. If you do not see the feature, contact your Nasuni account team to discuss how to purchase and enable the add-on.

Find self-help resources and Technical Support at www.nasuni.com/support