Nasuni Ransomware Protection

  • Published on Dec 17, 2025
  • 7 minute(s) read
  • ED
 Prev Next

Introduction to Nasuni Ransomware Protection

Nasuni Ransomware Protection is a separately licensed add-on service of the Nasuni File Data Platform that provides additional features to help mitigate ransomware and other cyber attacks. Using up-to-date intelligence on the latest threats, the Nasuni Ransomware Protection Service helps you recover smarter and faster than ever.

This document explains how each feature of the add-on service works and how to configure each feature for your environment. Nasuni Ransomware Detection is the first key feature included in the Nasuni Ransomware Protection add-on.  

Nasuni Ransomware Detection

Nasuni provides unmatched recovery capabilities for customers impacted by ransomware attacks as part of its base platform. Nasuni Ransomware Protection extends these built-in capabilities by identifying ransomware attacks on files anywhere within your Nasuni environment and alerting administrators about ransomware attacks before they cause significant damage. This enables you to identify the impacted files and culprit users, so you can recover smarter and even faster without paying a ransom.

Nasuni Ransomware Protection provides an additional layer of security on Nasuni Edge instances by identifying known ransomware file extensions as soon as they appear and notifying administrators of their presence.

Ransomware Protection works as follows:

  • Regularly updates known ransomware patterns used for detection.
    The Nasuni list of known ransomware file extensions is at https://r3.api.nasuni.com/ext_blocklist.json.

  • Reads creation, renaming, updating, and deletion events and analyzes their paths.

  • Triggers incident mitigation if the confidence level of the suspected ransomware meets or exceeds the selected Confidence Level.

  • Emits a notification if an attack is underway. This notification is sent when the attack is first recorded, not for each affected file.

  • Logs individual pattern violations.

For further details, see Ransomware Protection.                                      

Tip: You can avoid false positives by requesting Support to add file extensions to a safelist.

Note: Ransomware Detection Confidence Levels are available only for Edge Appliances running version 9.14 or later and NMC running version 23.3 or later.

You can enable or disable Ransomware Protection at the volume level.

Note: Nasuni Ransomware Protection is a feature of the Nasuni Ransomware Protection add-on service. If you cannot enable the feature, contact your Nasuni account team to discuss how to purchase and enable the add-on.

Tip: To administer settings of Ransomware Protection, you must have the "Manage Cyber Resilience Services" permission enabled.

Tip: To receive notifications of violations, you must have the “Manage all aspects of the Filer (superuser)” or “Manage Notifications” permissions and the appropriate “Filer Access” permissions.
To receive emails of violations, if email is enabled, you must also ensure that the Violation Alerts are selected for the user’s group.

Important: To enable Ransomware Protection, you must open port 443 to the FQDN r3.api.nasuni.com to get ransomware detection definition files.

Note: Ransomware attack summaries are displayed in the Nasuni Edge Appliance or Nasuni Management Console. Individual violations are logged to a CSV file in the .nasuni/ransomware_violations/ folder of the volume.
In the log file, each violation entry includes the following: event timestamp, event type, path, client SID (SMB (CIFS) volumes only), and client IP (SMB (CIFS) volumes only).
Of the 43 defined event types, Nasuni currently reports 4 (Rename), 6 (Read), 7 (Write), 10 (New File), and 12 (Delete File).

Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user.
Because the .nasuni directory is located in the root directory of the volume, to access the .nasuni directory, you must create a share to the root directory of the volume.
In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show Hidden Files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled.
Alternatively, the File System Browser can view the .nasuni directory and its contents. On the File System Browser page, select the volume, click the gear icon, then select “Show Hidden Files”.

Considerations and Impact of Using Ransomware Protection

Impact on Performance

Ransomware Protection has a negligible effect on Nasuni Edge read/write performance.

Impact on Data Protection

Ransomware Protection does not affect snapshot schedules or the process of storing file data in your chosen cloud object storage.

Files Already Written to Cloud Object Storage

Only new or changed files are audited. Therefore, a file that has already been stored and protected in cloud object storage before Ransomware Protection is enabled is not examined unless that file is changed in some way.

Global File Lock and Ransomware Protection

Ransomware Protection does not affect Global File Lock, which is a separate service designed to minimize file version conflict by ensuring that only one user at a time may open a file for editing.

For details of Global File Lock processing, see Global File Locking.

Using Nasuni Ransomware Protection

You can enable or disable Ransomware Protection at the volume level.

Important: On the Edge Appliance and the NMC, Ransomware Protection appears as “Ransomware Detection”.

The Ransomware Detection setting is inherited by all Nasuni Edge Appliances that share the same volume. For example, if a Nasuni Edge Appliance in Boston enables Ransomware Detection for a volume, and a Nasuni Edge Appliance in London connects to that same volume, then Ransomware Detection is also enabled on the Nasuni Edge in London. In such a case, there might be a brief time lag before the Nasuni Edge in London inherits the setting.

Note: Ransomware Detection is available for SMB and NFS volumes and FTP/SFTP directories.

Note: Ransomware Mitigation is only available for SMB volumes, not NFS volumes.

Note: Ransomware Detection notifications are displayed in the Nasuni Edge Appliance or Nasuni Management Console. Individual violations are also logged to a CSV file in the
.nasuni/ransomware_violations/
folder of the volume.
In the log file, each violation entry is of the form:

<event_date>, <event_type>, <event_path>,
<client_SID> (SMB (CIFS) volumes only),
<client_ip_address> (SMB (CIFS) volumes only)

Of the 43 defined event types, Nasuni currently reports
4 (Rename), 6 (Read), 7 (Write), 10 (New File), and 12 (Delete File).

Example:

2022-02-25 16:55:33.134070,
10,
./foo.txt.deadbolt,
S-1-5-21-2233961672-3501865241-386910446-1105,
172.16.1.79

Enabling and Disabling Ransomware Detection using the Nasuni Edge Appliance User Interface

Note: Only the volume owner can enable or disable Ransomware Detection for a volume.

To enable and disable Ransomware Detection, see Ransomware Detection Policy.

Viewing Ransomware Detection settings using the Nasuni Management Console

To view Ransomware Detection settings, see Ransomware: Incident Management Page.

Editing Ransomware Detection settings using the Nasuni Management Console

To edit Ransomware Detection settings, see  Ransomware Detection Policy.

Incident Management

The Incident Management Page provides Administrators with a dashboard that tabulates information such as incident count by volume, detected confidence level, signature, and Edge Appliance. Implement the Incident Management page to view your incidents, generate reports, and delete incidents after they have been resolved.

Note: Ransomware Detection Confidence Levels are available only for Edge Appliances running version 9.14 or later and NMC running version 23.3 or later.

To view the Incident Management page, click the Cyber Resilience tab, followed by the Incident Management option on the left.

For more information on Incident Management, see Incident Management.

Blocked Clients

When Incident Mitigation is enabled, and a ransomware incident occurs, Nasuni configures a DENY firewall rule to block the attacking client IP address from connecting with the Edge Appliance. Blocked clients populate on the Blocked Clients page, generating an alert to Administrators.

To view the Incident Management page, click the Cyber Resilience tab, followed by the Incident Management option on the left.

For more information on Blocked Clients, see Blocked Clients.

Important: If you utilize technologies that allow clients to use multiple NEAs (such as DFS or NetScaler) to access a share for geolocation or redundancy purposes, the client might be blocked by the mitigation policy on one appliance and then connect to another appliance hosting the share. Note that ransomware activity on the new appliance might cause the client to be blocked there, also.

Ransomware: Targeted Restore

Rather than unnecessarily restoring the entire volume, Targeted Restore only restores files that a ransomware incident has affected and whose file names match a given pattern. This can save significant time in recovery and get back the files that users need much more quickly.

To learn more about Targeted Restore, see Targeted Restore.

Antivirus Services

Nasuni uses the Clam AntiVirus (ClamAV®) open-source engine as the backbone of the Edge Appliance Antivirus Protection. When an incident occurs, the file is flagged, and virus information populates on the Violations page. An Administrator reviews this page and decides which flagged files are acceptable to include on the snapshot and cloud protection.

To view the Violations page, click the Cyber Resilience tab, followed by the Antivirus Violations tab on the left.

For more information on the Nasuni Antivirus Services, see Antivirus Service.

Related articles