Strengthening Cyber Resilience for NetApp ONTAP with Backup2Cloud NG

Jason Reid on March 6, 2026

Unstructured data continues to grow rapidly across enterprise storage environments, and NetApp ONTAP platforms are no exception. File shares, application data, and user content all add value to the business, but they also increase the attack surface for malware and ransomware.

As cyber threats become more sophisticated, it is no longer enough to focus solely on protecting production systems. Organisations must also ensure that the data they rely on for recovery is clean, trusted, and free from hidden threats.

That is why we are pleased to announce a new capability within Backup2Cloud NG, powered by HYCU HCE, that enhances cyber resilience for NetApp ONTAP environments.

Malware scanning for ONTAP file data, without disruption
Backup2Cloud NG now supports malware scanning for NetApp ONTAP file data using YARA rules, enabling organisations to detect hidden threats without impacting production systems or backup operations.

This approach allows security and infrastructure teams to gain deeper visibility into their data while maintaining the performance and availability their users expect.

Unlike traditional antivirus tools that rely on scanning data as it is accessed, this capability operates out of band, meaning it does not interfere with live workloads or introduce delays during backup windows.

Why unstructured data is a growing risk
Unstructured file data often contains information that is infrequently accessed but highly valuable, such as historical records, shared documents, and application outputs. These files can remain unchanged for long periods, making them an ideal place for malware to persist unnoticed.

In many cases, organisations only discover infected files during a recovery event, when time pressure is highest and options are limited. Restoring compromised data can reintroduce malware into the environment, undermining recovery efforts and increasing business risk.

By proactively scanning file data for known indicators of compromise, organisations can identify and address threats earlier, before they have the chance to spread or resurface during a restore.

What YARA‑based scanning delivers
YARA rules are widely used by security teams to identify malware based on known patterns and behaviours within files. Rather than relying solely on file metadata or access activity, YARA examines file contents to detect malicious indicators that may otherwise go unnoticed.

With Backup2Cloud NG, this capability is applied directly to NetApp ONTAP file data in a way that is operationally safe and efficient. There is no requirement to pause production systems, no impact on user access, and no disruption to backup schedules.

Key benefits for ONTAP environments
This enhancement enables organisations to:

✔ Scan ONTAP file data for hidden malware without touching production systems

✔ Maintain normal backup performance and operational processes

✔ Detect threats earlier in the attack lifecycle

✔ Reduce the risk of restoring infected data after an incident

✔ Improve confidence in recovery outcomes

The result is a more resilient data protection strategy that focuses not just on recoverability, but on recovering clean, trusted data.

A practical step forward in cyber resilience
Cyber resilience is not achieved through a single tool or technology. It requires a layered approach that combines reliable backups, secure storage, and intelligent threat detection.

By extending malware scanning into NetApp ONTAP file data, Backup2Cloud NG helps bridge the gap between backup and security, giving organisations greater assurance that their recovery data can be trusted when it matters most.

If you would like to learn more about how Backup2Cloud NG can strengthen cyber resilience across your NetApp environment, please get in touch with the Assurestor team.

Break the Attack Loop: Why In-Line Scanning During Backup & Restore Is Now Non-Negotiable

Jason Reid on May 15, 2025

When ransomware hits, the room splits in two.

One side is calm: they’ve backed up, tested their recovery, and know exactly what to do. The other side is staring at encrypted screens, weighing up whether to pay a criminal and hoping the decryption key actually works.

But here’s the uncomfortable truth that’s changed the game: having a backup is no longer enough. Cybercriminals have evolved. They now specifically target your backup infrastructure, and they’ve developed a particularly insidious tactic to neutralise your last line of defence before you even know an attack is coming.

The Attack Loop: How Ransomware Defeated Traditional Backup

The latest ransomware strains don’t announce their presence immediately. It may take days, weeks, sometimes months, before an attack is initiated. During that dormant period, malware is quietly embedded across your systems and, critically, backed up alongside your legitimate data.

When you finally trigger a restore to recover from the attack, you bring the malware back with you. The production environment is re-infected. The attackers win again. This is the Attack Loop, and it’s exactly why a backup alone is no longer a resilience strategy.

Cybercriminals understand the economics perfectly. A good backup means a bad payday for them. So they’ve adapted to poison the well.

Why Traditional Backup Software Falls Short

Most legacy backup tools were designed for a simpler threat landscape. They capture data, store it, and retrieve it. Security was an afterthought: an add-on, not a core function.
The problems are structural:

Backups scan at the point of backup only. If malware was dormant during the backup window, it gets archived cleanly. By the time it activates, it’s embedded in every recovery point you own.

Predictable file naming conventions. Experienced attackers know exactly what backup repositories look like on disk. Traditional tools use recognisable file structures, making it straightforward for an attacker who’s gained access to locate and delete or corrupt your backups directly.

Single-factor access to management consoles. If an attacker phishes an admin’s credentials, they can walk straight into your backup settings and quietly disable retention policies, delete repositories, or alter schedules, days or weeks before triggering the ransomware payload.

No protection against double and triple extortion. Attackers increasingly download a copy of your data before encrypting it. If your backup data isn’t encrypted at rest and in-flight, it becomes a secondary target and another lever for demanding payment.

The Modern Answer: Bidirectional In-Line Scanning

The solution isn’t just better antivirus. It’s fundamentally rethinking where and when scanning happens in the backup and recovery workflow.

Asigra Tigris is built on this principle. Rather than treating security as an external layer, it embeds protection directly into the backup and restore pipeline through what it calls a “Deep Six” security architecture.

Scan on Backup, and on Restore

Tigris performs two malware scans. The first happens during backup: every file is scanned, and any malware detected is quarantined rather than archived. But the critical innovation is the second scan, performed during the restore process.

This is what breaks the Attack Loop. When you restore data after an attack, Tigris scans again. Any ransomware that was dormant during the original backup, and therefore backed up cleanly, is caught at restore time, quarantined, and prevented from re-infecting your production environment. You restore clean data, not the infection.

Content Disarm and Reconstruction (CDR)

Modern ransomware doesn’t always look like malware. It hides inside ordinary business documents: PDFs, Office files with macros, media files. Even advanced antimalware scanning can miss deeply embedded executable objects inside these file types.

Content Disarm and Reconstruction (CDR) addresses this by deconstructing files, stripping any potentially malicious code, and rebuilding a clean, functional version. Tigris applies CDR as part of both the backup and restore process, not just at the network gateway where it’s traditionally deployed. That matters, because it only takes one file getting past your front door to start an attack.

Multiperson Approval (MPA) and Multifactor Authentication (MFA)

Credential theft is one of the most common attack vectors. If a threat actor phishes an admin’s login, they can make destructive changes to backup settings without triggering any alarms.

Tigris counters this with two layers. MFA adds a second authentication step for login and for any potentially destructive action, such as deleting backup repositories. MPA goes further, requiring multiple people to approve such actions. An attacker with one set of stolen credentials simply cannot proceed unilaterally.

Repository Obfuscation with Variable Naming

If an attacker gains access to your storage environment, knowing where your backups live is half the battle. Traditional tools use predictable, well-known file naming patterns.
Tigris uses variable repository naming, dynamically obscuring backup file identities so attackers cannot easily identify, locate, or target your recovery data, even with storage-level access.

Soft Delete: The Hidden Safety Net

Even if an attacker manages to access the backup management console and attempts to delete backup jobs, Tigris has one more layer of protection. Soft Delete gives the appearance of successful deletion; the admin console reports it’s done, but a hidden copy of the backup job is retained, recoverable only by those who know it exists.

True deletion requires a separate two-step process that isn’t visible to an attacker unfamiliar with the system.

AES-256 Encryption In-Flight and At-Rest

Double and triple extortion attacks, where attackers steal data before encrypting it and then threaten to publish it, are now standard practice. Backup data is increasingly the softer target.

Tigris protects against this with NIST FIPS 140-2, AES-256-bit encryption covering data both in transit and at rest, making backup repositories useless to attackers even if they succeed in exfiltrating them.

Agentless Architecture: Security Without the Overhead

One reason organisations sometimes underinvest in backup security is operational friction. Deploying and maintaining agents across every endpoint adds complexity, creates attack surface, and slows down updates.

Tigris deploys as a network-based, agentless architecture with no endpoint agents required. It can be deployed in Docker containers, managed through a single pane of glass, and covers operating systems, virtual machines, and databases comprehensively. Updates are smoother, administration is reduced, and the security footprint itself is minimised.

Recovery Confidence Matters as Much as Security

Security is only half the equation. When the worst happens, recovery needs to be fast and reliable.
Tigris pairs its security architecture with advanced recovery capabilities: autonomic healing that automatically repairs corrupted backups, in-memory restore validation that tests recovery before it goes live, VM replication for standby failover, and incremental-forever backup that lets you restore from any point in time. Granular recovery means you can restore an individual file or an entire data centre, on demand.

For more on how Asigra Tigris protects backup environments against modern ransomware tactics and how to get a Ready-To-Use Tigris Platform (Backup2Cloud) click below…

Asigra Tigris
Backup2Cloud