Alerts for ransomware threat detection

IBM Storage FlashSystem employs an advanced AI inference engine to detect potential ransomware threats and forwards those alerts to both free and pro versions of IBM Storage Insights. When a ransomware threat is identified, IBM Storage Insights triggers an alert to inform you of the potential risk.

Ransomware threat detection is enabled by default in IBM Storage Insights free and pro versions. When a ransomware threat alert is triggered, a red notification banner appears across all pages in the GUI. An email notification is also sent to the configured email addresses. The email includes details about the potential ransomware activity and a link to the corresponding alert in IBM Storage Insights. You can enable or disable ransomware threat detection alerts by following the steps in Enabling and disabling alerts for ransomware threat detection.

Note:

Ransomware threat detection and integration with IBM Storage Defender is available in both the free and pro versions of IBM Storage Insights. You can enable or disable this feature in either version.
In the free version, ransomware threat detection is available only in the modern UI and not in the classic UI. For pro version, ransomware threat detection is available in both the classic and modern UI.
Ransomware threat detection at volume-level is only supported for the IBM Storage Virtualize systems that will meet all the following conditions:
- Resources are monitored through Call Home with cloud services.
- Available for FCM version 4 or later, drive-based storage systems.
- Requires firmware version 8.6.3.0 or later.
Ransomware threat detection for volume groups is only supported for the IBM Storage Virtualize systems that will meet all the following conditions:
- Resources are monitored through Call Home with cloud services.
- Available for FCM4 version 4.2 or later, drive-based storage systems.
- Requires firmware version 8.7.2.0 or later.

Ransomware threat detection for DS8000 systems

IBM Storage Insights started supporting ransomware threat detection alerts for DS8000 systems (firmware version R10.1 or later) in phases.

Phase 1 (current): IBM Storage Insights receives ransomware threat detection alerts from DS8000 systems and displays them in the GUI. These alerts are visible only to IBM Support for learning and validation. You do not receive ransomware threat detection alerts in this phase.
Phase 2 (future): IBM Storage Insights continues to receive ransomware threat detection alerts from DS8000 systems and displays the alerts to you.

Key capabilities of ransomware threat detection alert

Streamlined alerting for IBM Storage Virtualize systems:

IBM Storage Insights will trigger either a ransomware threat detection alert or a workload anomaly alert for IBM Storage Virtualize system based on the following firmware and FCM drive conditions:

Table 1. FCM and firmware version requirements for ransomware and workload anomaly detection alerting support
Firmware version	Storage system with all FCM drives running version 4 or later	Storage system with no FCM drives
Below 8.6.0.0	No ransomware threat and workload anomaly detection is supported	No ransomware threat and workload anomaly detection is supported
8.6.0.0 to below 8.6.3.0	Only workload anomaly detection is supported	Only workload anomaly detection is supported
8.6.3.0 or later	Only ransomware threat detection is supported	Only workload anomaly detection is supported
Note: The ransomware threat detection for volume groups is supported only on storage systems running firmware version 8.7.2.0 or later. The volumes must be created in a storage pool that uses FCM drives with version 4.2 or later, and the underlying MDisks must be configured as RAID 1 or RAID 6. For the storage system with firmware version 8.6.0.0 or later, and having all FCM drives with version earlier to 4, only workload anomaly detection is supported.

Expanded ransomware threat detection:
Ransomware threat detection encompasses volume groups, in addition to individual volume-based alerts. When a ransomware event is detected at the group level, IBM Storage FlashSystem sends an alert to IBM Storage Insights, allowing for quick identification and management of compromised volume groups rather than addressing each volume individually.
User interface and visual indicators:
- The Status column in the volume or volume group details page displays values such as Threat Detected or Threat Detected - Acknowledged
- Threat Detected Timestamp column in the volume and volume group details page indicates when the alert was generated.
Automatic marking of affected volumes
When a ransomware alert is triggered at the volume group level, all associated volumes are automatically marked as Threat Detected. Acknowledging the alert at the volume group level marks all related volumes as acknowledged.
Acknowledgment and alert management
You can acknowledge or un-acknowledge alerts at both the volume group and individual volume levels. If all volumes in the volume group are acknowledged, the volume group status shows Threat detected – Acknowledged. If any volume belonging to the volume group remains unacknowledged, the volume group status will reflect Threat detected. For more information, see Acknowledging a false positive alert
Snapshot protection
Snapshots created after a ransomware alert are flagged as Compromised until the alert is acknowledged, ensuring that potential issues with backups are identified. After the alert is acknowledged, future snapshots are not flagged, indicating a return to a safe state.
False-positive reporting
A feedback mechanism for false positives is also available for both volume level and volume group level ransomware alerts, enhancing alert accuracy. Submitting feedback for ransomware false positives
Integration with IBM Storage Defender and webhook:
Volume and volumes group ransomware alerts are forwarded to IBM Storage Defender and webhook integration points, ensuring comprehensive security coverage. For more information, see IBM Storage Defender integration