Because of a few very bad people, we all carry a burden. At home, that could mean locking the front door, checking the side gate, or taking other precautions. With data center security, the burden is omnipresent—and very expensive. Plus, it’s not optional or very inspirational. You pay the costs so your organization can move forward normally. Ransomware presents a new kind of data center burden. If you’re a victim of it, the consequences can be staggering: a complete cessation of your operations, the subsequent costs due to that interruption, a huge loss in reputation, and famously, an exorbitant ransom. After all of that, you’re back to square one.Therefore, mitigating ransomware needs to be easy. It should be as simple as checking the front door before you go to bed. Pure Storage® SafeMode  is exactly that. Here, we will talk about SafeMode Snapshots.

Ransomware Attacks

Ransomware is discussed everywhere today, so I won’t go into too much detail. In a nutshell, it’s when an attacker maliciously encrypts your data and then sells you the encryption key to recover your data. What many people don’t know is that ransomware software sells on the internet like mainstream software. And it’s very lucrative.

It takes a combination of luck and skill for an intruder to gain access to a storage device or an entire application server and its connected volumes. Preventive maintenance is critical: locking down resources, retiring older devices, and reviewing access logs. These measures will go a long way in preventing an attack.

But, if an intruder does attack your organization, the following sequence of events is likely to occur:

  1. Through some means, an intruder gains access to a server or storage device.
  2. The intruder starts an encryption process to slowly and discretely encrypt drives or volumes.
  3. After some time elapses, the volume snapshots are permanently deleted, leaving only the encrypted volumes.
  4. The application crashes and operations are offline until you pay the ransom.
  5. The ransom is paid, and you can restart applications with access to unencrypted data (hopefully).

Learn the White House’s cybersecurity strategy!

Ransomware Mitigation with SafeMode Snapshots

Now, let’s take the same sequence of events but with SafeMode enabled.

  1. Through some means, an intruder gains access to a server or storage device.
  2. The intruder starts an encryption process to slowly and discretely encrypt drives or volumes.
  3. The intruder attempts to delete snapshots but can’t because they’re locked with SafeMode.
  4. The intruder’s encrypted volumes are taken offline and recovered with unchangeable, locked snapshots.
  5. Operations are either not impacted or only minimally interrupted, and no ransom is paid.

SafeMode Is Easy to Enable 

SafeMode is a data-protection solution that is built into FlashArray™. Simply call Pure Storage Support and request it. Support will set up a conference call with you and your account team. Changes to SafeMode are only possible when at least two authorized contacts from your organization conference with the Support team. You can authorize up to five contacts who can make changes to SafeMode. Each authorized contact will get a six-digit PIN.

SafeMode Is Easy to Use 

SafeMode doesn’t delete your system’s volumes, snapshots, hosts, or anything else. It destroys them. Once destroyed, these objects sit in a special “destroyed” area that is visible in the GUI. They remain recoverable for 24 hours. After 24 hours, SafeMode eradicates these objects permanently. This Eradication Timer provides an “undo” button for mistakes.

However, any array admin can eradicate any destroyed object. Just click on the trash can icon next to it, and it’s gone forever. SafeMode prevents this by locking everything in the destroyed area. You have to wait for the Eradication Timer to count down before the object can be removed forever. For ransomware, 24 hours isn’t long enough. We suggest changing the timer to a longer duration such as 14 days. You can select up to 30 days.

To summarize, setting up SafeMode to protect your data is as simple as:

  1. Contacting Pure and enabling SafeMode.
  2. Establishing authorized contacts and recording your assigned PIN.
  3. Adjusting the Eradication Timer to something beyond 24 hours to provide an optimal recovery window.

Immutable Snapshots

Pure Storage snapshots are immutable. With SafeMode, they’re ineradicable (yes, that is a real word). And they’re fast. It takes less than a millisecond for a snapshot to create a few persistent data structures. Finally, and most importantly, Protection Groups offer robust configurable snapshot policies. These cover the frequency of snapshots, retention policy of snapshots, and even the ability to send snapshots to a variety of other destinations such as FlashArray//C, FlashBlade®, AWS, Microsoft Azure, and NFS shares.

SafeMode is a comprehensive, high-performance solution. Here are a few additional highlights. With our latest Purity release, SafeMode also locks down:

  • Protection Group targets: An intruder can’t prevent snapshots from being sent to another destination.
  • Snapshot retention: An intruder can’t set the retention to zero and eradicate all of the snapshots. This retention can be increased as needed, but it can’t be decreased unless two authorized contacts and their associated PINs contact Pure Support.
  • FlashArray files


SafeMode is a built-in feature of FlashArray. Snapshots offer infinitely configurable policies and a near-infinite means of offloading snapshots. While technology often complicates things, this isn’t the case with FlashArray. As we’ve been saying since 2011, there’s no reason for compromise or complexity.

More on Ransomware

  1. Ransomware Protection with NetBackup MSDP and FlashBlade
  2. Is Disaster Recovery Really Ransomware Recovery?
  3. Simplified Data Protection through Enhanced SafeMode Management
  4. Ransomware Isn’t Slowing, But Governments Have a Way Out