--- title: "Nasuni Ransomware Mitigation with Access Anywhere" slug: "nasuni-ransomware-mitigation-with-access-anywhere" updated: 2025-03-03T14:34:51Z published: 2025-03-03T14:34:51Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.nasuni.com/llms.txt > Use this file to discover all available pages before exploring further. # Nasuni Ransomware Mitigation with Access Anywhere **Correct configuration**of Nasuni Access Anywhere (**NAA**) with Nasuni Ransomware Protection (**NRP**) is key in identifying and isolating users compromised by ransomware. **NRP’s Incident Mitigation policy**automatically blocks IP addresses – including NAA servers – identified as the source of a ransomware attack from connecting with your Nasuni Edge Appliance. Thus, other users and applications of the NAA servers might also be blocked. **Follow these steps to isolate the compromised user, restore your data, and get your team back on track safely with just a few clicks.** # Getting Started with Settings ***Tip: Cloud Sync****use cases may require adjustments to the default thresholds due to the fact that these workloads can involve many files being created in a short period of time when a synchronization occurs.****Nasuni recommends starting with the default Incident Creation Confidence Level****and only adjusting it if Incidents are generated due to legitimate Cloud Sync operations.* **In NAA, enable or edit audit events.**Click the **Organization** tab to navigate to **Policies,** then select **Security** from the **left navigation menu**. Scroll down to the **audit section**at the bottom of the page and **select events to log**by adding check marks to the desired tick boxes. ***Note:****Ensure that "****File Add/Update****" remains enabled.* ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-00mpdqsr.png) Establish **DNS Pointer Records (PTR**) to help identify the source of the ransomware incident. **Create PTR records for your NAA server(s)**to aid in linking the IP address blocked by the mitigation policy to a specific NAA server. ***Consult your DNS server’s documentation for instructions on how to configure a reverse lookup zone and PTR records.*** ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-ef4imw6d.png) **In the NMC, Configure your notification settings**to enable email alerts, SNMP monitoring, and Syslog Export and notifications. Guidance can be found in Chapter 10 of the NMC Guide. ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-ol58rqyz.jpg) # Recovering From an Attack **In the NMC**, view the **NRP Incident Management**page, click the **Cyber Resilience tab**, followed by the **Incident Management**option on the left. The **shield icon**indicates that the system has **proactively responded**to an attack by **blocking at least one client**. ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-wrrnp5mn.jpg) To determine if the blocked client is an NAA server, click the report icon to access the **NRP Incident Report**. Make a note of the user name and client IP address associated with the event. Check if the IP address is assigned to an NAA server. ***Note:****The****NRP ransomware_violation log file****located in the****.nasuni/ransomware_violations****directory at the Root of the volume allows you to identify the compromised user SID, source IP, and****all impacted files****.* ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-r7atmnng.jpg) ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-o6t0w1n5.png) Log into the **NAA web app**as an **Organization Admin**. Click **Users** under the **Organization** tab. Use the **filter or search**function at the top of the page to find and **select a user**. Click the **pencil icon**to open the user's permissions page. Use the **pencil icon**in the left side **User Data** pane to allow edits to the user's permissions. A dialog box will appear where you can toggle to **remove the check mark**from the **active**tick box, and **click Update user data to disable the user.** ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-d5517qjw.png) **In the NMC**, click the **Cyber Resilience** tab, then click **Blocked Clients**. Check the **tick box**to the left of the client you would like to unblock. ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-f2r4sskk.png) Click **Unblock Client** in the dialog box that appears. ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-ypseo1bz.png) In **NAA**, click the **Audit Event Logs** under the **Organization** tab**.**Use the **filters**in the **left side search pane t**o narrow your search. Click a log to reveal the type, user name, user login, time stamp, IP address and tool. **Look for matches**based on username or file name to identify the compromised device. ![](https://cdn.document360.io/2adf6ce2-c120-4520-b135-0fc4463ddde3/Images/Documentation/nasuni-ransomware-mitigation-with-access-anywhere-image-vlbgac3h.jpg) Refer to Recovering from Ransomware using Nasuni for further steps on restoring your data to a specific version. *Nasuni Ransomware Detection is a feature of the Nasuni Ransomware Protection add-on service. If you do not see the feature, contact your Nasuni account team to discuss how to purchase and enable the add-on.* Find self-help resources and Technical Support at [**www.nasuni.com/support**](http://www.nasuni.com/support)