Monitoring alerts for ransomware threat detection

In addition to the email alerts and integrations with other tools, an alert for a potential ransomware threat is displayed within IBM Storage Insights GUI, when a threat is detected. Ransomware threat detection is available in both the free and pro versions of IBM Storage Insights. In the free version, ransomware threat detection is available only in the modern UI and not in the classic UI. For pro version, ransomware threat detection is available in both the classic and modern UI.

Remember: A potential ransomware attack has the highest critical severity. Therefore, these alerts are always displayed at the top of alert listings, either at the tenant or device level, and regardless of the date and time when the alert occurred.

When a ransomware threat alert is triggered, an email notification is sent to the configured email addresses. The email includes details about the potential ransomware activity and a link to the corresponding alert in IBM Storage Insights.

Accessing ransomware alerts in the user interface

Modern UI:

You can access ransomware alerts for volume groups through:

  • When a ransomware threat alert is triggered, a red notification banner appears across all pages in the GUI. The alert notification banner persists until the alerts are resolved or acknowledged. Click View threat alerts in the ransomware threat notification to see more details. The storage systems affected with ransomware threat are highlighted in red in the Block Storage panel of overview dashboard in modern UI and the highlight persists until the alerts are resolved or acknowledged.
  • Click Alerts in the top menu bar, and then click Potential Ransomware Detected in the Alert name column. The alert details panel opens with the information about the related storage systems, volume groups table, performance charts (Read I/O Rate, Write I/O Rate, Total I/O Rate), and recommended mitigation actions.

Classic UI:

You can access ransomware alerts for volume groups through the following locations:

  • Ransomware threat detection notification in Dashboards > Operations
  • Alerts page at Dashboards > Alerts. Locate alert with the name Potential Ransomware Detected.
  • Ransomware threat detection notification in the storage system details page.
  • Storage system alerts page at Alerts in General section of storage system details page.
  • Volume's detail page at Volumes in Internal Resources section of storage system details page.
  • Volume groups detail page at Volume Groups in Internal Resources section of storage system details page.
  • Compromised status of the volume snapshots from storage system details page at General > Copy Data > Volume Snapshots > Security Status
  • Compromised status of the volume group snapshots from storage system details page at General > Copy Data > Volume Group Snapshots > Security Status

Recommended mitigation actions for alerts

When a ransomware alert is triggered, you can see recommended actions to mitigate the issues. Recommendations include checking whether encryption is enabled, migrating data, or contacting the security team.

To access the recommendations from modern UI, Click Alerts in the top menu bar, and then click Potential Ransomware Detected in the Alert name column. The alert details pane opens. Click the Recommendations tab to view the recommended actions.

To access the recommendations from classic UI, double-click the alert name from Dashboards > Alerts. The alert details pane opens. You can see the Recommendations section with the suggested actions.