Skip to main content
NetApp Knowledge Base

Why didn't Cloud InSights Workload Security produce an alert during a simulated ransomware attack?

Last Updated:

Applies to

  • Cloud Secure (CS)


Typically, this is a result of a simulation that does not closely enough mimic the signature of a true ransomware attack. NetApp includes a simulation script within the agent software package and recommends using this to demonstrate the effectiveness of the ransomware detection. See the documentation on Simulating an Attack for information on how this works and recommendations on how to perform the testing.

In general, consider these factors when performing a simulated ransomware attack to demonstrate Cloud Secure detection:

  • Make sure encrypted files are not empty.
  • Make sure more than 50 files are encrypted. A small number of files will be ignored.
  • Do not run an attack with the same user multiple times. After a few times, CS will learn this user behavior and assume it is the user's normal behavior.
  • Do not encrypt files the same user has just created. Changing a file a user just created is not considered a risky activity. Instead, use files created by another user OR wait for a few hours between creating the files and encrypting them.

Additional Information



NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.