Ransomware threat detection

The system can analyze data patterns for its ransomware threat potential. With IBM Storage Insights, if the data patterns are found to be anomalous, an alert is raised.

When an alert is raised, affected volumes within a volume group automatically have a snapshot triggered. This snapshot is marked with an anomaly status of Detected threat triggered. This snapshot may contain some of the anomalous workload as it was triggered during that workload.

It is good practice to configure a schedule for creating regular snapshots of these volume groups. If an earlier volume group snapshot exists when an anomalous workload is detected, the latest snapshot will be marked as Retention extended, and its retention time extended to avoid early expiration.

Volume group snapshots created while an alert exists are marked as Potential threat present.

To configure ransomware threat detection, use the Settings > Security > Ransomware Threat Detection panel in the management GUI.