Logo - Pure Storage

How to Secure Your Data from Ransomware with SafeMode™ Snapshots

SafeMode Snapshots

Data isn’t just valuable: It’s the backbone of business innovation and growth. But as threats against this critical asset evolve—beyond ransomware alone—businesses absolutely must maintain cyber resilience to avoid the operational, financial, and reputational effects of downtime and data loss.

With data center security, this burden is omnipresent—and very expensive. Plus, it’s not optional or very inspirational. But resilience can be simple, effective, and automated. 

This is where Pure Storage® SafeMode Snapshots come into play, offering secure and operationally flexible protection businesses can count on to keep critical services running with guaranteed zero downtime.

Ransomware Attacks without SafeMode Snapshots

It takes a combination of luck and skill for an intruder to gain access to a storage device or an entire application server and its connected volumes. Preventive maintenance is critical: locking down resources, retiring older devices, real-time threat hunting, and reviewing access logs. But that’s only half the battle. If an intruder does gain access, you need resilience, and not every solution can provide that.

Here’s how a ransomware attack is likely to occur—without immutable snapshots:

  1. Through some means, an intruder gains access to sensitive data or information.
  2. The intruder starts an encryption process to slowly and discretely encrypt your organization’s data and information.
  3. After some time elapses, the volume snapshots are permanently deleted, leaving only the encrypted volumes.
  4. The application crashes and operations are offline until you pay the ransom.
  5. The ransom is paid, and you can restart applications with access to unencrypted data (hopefully).

safemode cyber resilience
Figure 1: SafeMode enhances cyber resilience.  

Ransomware Mitigation with SafeMode Snapshots 

Now, let’s take the same sequence of events, but with SafeMode immutable snapshots enabled.

  1. Through some means, an intruder gains access to sensitive data or information.
  2. The intruder starts an encryption process to slowly and discretely encrypt your organization’s data and information.
  3. The intruder attempts to delete snapshots but can’t because they’re locked with SafeMode.
  4. The intruder’s encrypted volumes are taken offline or removed and recovered with unchangeable, locked snapshots.
  5. Operations are either not impacted or only minimally interrupted, and no ransom is paid. By securing snapshots against tampering, SafeMode ensures that backups remain reliable and accessible. This not only preserves data but also maintains operational continuity.

What a stark difference, right? It’s possible thanks to SafeMode’s balance between automation and manual verification. The ability to quickly restore data from immutable snapshots minimized downtime and operational disruption.

safemode multi step verification
Figure 2: Multi-step verification process. 

How Does SafeMode Work? 

SafeMode employs immutable, indelible snapshots to safeguard against unauthorized changes or deletions. These snapshots serve as a reliable foundation for data recovery, even in the event of a ransomware attack. SafeMode protects the integrity of your data by:

  • Automatically generating data snapshots: These are scheduled at intervals that suit your operational requirements, ensuring that you always have an up-to-date, unaltered version of your data.
  • Ensuring data immutability and indelibility: Snapshots are always immutable. Once created, these snapshots cannot be deleted without undergoing a stringent, multi-step verification process. This includes interaction with Pure Storage’s dedicated support team, adding an extra layer of security.
  • Supporting robust configurable policies: Protection groups cover the frequency of snapshots, retention policy of snapshots, and even the ability to send snapshots to a variety of other destinations such as FlashArray//C™, FlashBlade®, AWS, Microsoft Azure, and NFS shares. Protection group targets mean an intruder can’t prevent you from sending snapshots to another destination.
  • Securing snapshot retention: An intruder can’t set the retention to zero and eradicate all of the snapshots. This retention can be increased as needed, but it can’t be decreased unless two authorized contacts and their associated PINs contact Pure Support.

And they’re fast. It takes less than a millisecond for a snapshot to create a few persistent data structures. 

SafeMode Is Easy to Set Up 

SafeMode is included without any additional license and is built into both FlashArray™ and FlashBlade systems.

Setting up SafeMode to protect your data is as simple as this:

  1. Contact Pure Storage and enable SafeMode. Support will set up a conference call with you and your account team.
  2. Set up SafeMode Approvers. You can authorize up to five contacts who can make changes to SafeMode. Each authorized contact will get a six-digit PIN. If you’ve never set up SafeMode administration, you can set up SafeMode Approvers through our new Pure1® process by following these directions (Pure1 login required). Otherwise, you can reach out directly to Pure Support. Be prepared to assign no less than two admins (up to five) who are authorized to modify SafeMode changes. Learn more about Enhanced SafeMode Management.
  3. Adjust the Eradication Timer to something beyond 24 hours to provide an optimal recovery window.
  4. To disable, call Pure Technical Support.

SafeMode Is Easy to Use 

Changes to SafeMode are only possible when at least two authorized contacts from your organization conference with the Pure Support team.

SafeMode doesn’t delete your system’s volumes, snapshots, hosts, or anything else. It destroys them. Once destroyed, these objects sit in a special “destroyed” area that is visible in the GUI. They remain recoverable for 24 hours, by default. After 24 hours, SafeMode eradicates these objects permanently. This Eradication Timer provides an “Undo” button for mistakes.

However, any array admin can eradicate any destroyed object. Just click on the trash can icon next to it, and it’s gone forever. SafeMode prevents this by locking everything in the destroyed area. You have to wait for the Eradication Timer to count down before the object can be removed forever. For ransomware, 24 hours isn’t long enough. We suggest changing the timer to a longer duration such as 14 days. You can select up to 30 days.

benefits of safe mode
Figure 3: Benefits of SafeMode Snapshots. 

SafeMode Is Easy to Manage in Pure1

Customers can conveniently manage their SafeMode settings alongside other storage management tasks in Pure1. SafeMode changes can be initiated in the Appliances view by clicking on the SafeMode shield icon in the desired array’s card.

We also implemented a more streamlined multi-party approval process. The multi-party approval process works by involving multiple individuals with designated roles and permissions in the approval process. When a user attempts to make changes or access sensitive functions within SafeMode using Pure1, the system prompts for approval from multiple authorized parties. 

Get Auto-on SafeMode with Purity Version 6.4.10

With Purity 6.4.10 and onward, Auto-on SafeMode is turned on by default for all new volumes created, whether on a new FlashArray or your existing array. With Auto-on SafeMode, all new volumes have baseline protections through SafeMode-protected snapshots. Auto-on SafeMode works in the background until you need it, which is the best possible approach to security.

It’s possible to opt out of Auto-on, and you can do so globally or per volume. To opt out globally, during the upgrade, simply select the option in Pure1 or respond back in your support case. Opting out per volume is easy, too. Just deselect the “Add to pgroup-auto” when creating a new volume. 

How SafeMode Delivers True Cyber Resilience: A Real-world Success Story

In March 2024, a well-known national company faced a severe challenge. A ransomware attack targeted their data infrastructure, impacting two key data arrays and causing a near-complete operational shutdown—95% of the company was offline, and the situation was severe enough to make the news.

During this critical time, the Pure Storage account team coordinated swiftly with Pure Support to address the crisis. Fortunately, one of the affected assets had SafeMode enabled, which was protecting a selected subset of snapshots.

The recovery process began with the NAS array, leveraging the SafeMode-protected snapshots. Within just a couple of days, the NAS array was fully restored, demonstrating the rapid recovery capability of SafeMode. The team then proceeded to restore the SAN array using these secure snapshots.

The result was a complete recovery of both arrays, a testament to the foresight of having SafeMode enabled. The company was not only able to resume normal operations quickly but also avoided the potential long-term consequences of a ransomware attack.

A customer comment highlighted the effectiveness of the response:

“Tier 1 and Tier 2 are fully restored and were done at an amazingly fast speed, thank you!”

Conclusion

Businesses must maintain cyber resilience in the face of attacks like ransomware. This is where Pure Storage SafeMode comes into play, offering secure and operationally flexible protection. While technology often complicates things, this isn’t the case with SafeMode. As we’ve been saying since 2011, there’s no reason for compromise or complexity.

More on Ransomware

  1. Ransomware Protection with NetBackup MSDP and FlashBlade
  2. Is Disaster Recovery Really Ransomware Recovery?
  3. Simplified Data Protection through Enhanced SafeMode Management
  4. Ransomware Isn’t Slowing, But Governments Have a Way Out

Written By: