Rescue Your Application When It Matters Most
Author
Naj Husain
Date Published
Dr. Srinidhi Varadarajan, Chief Scientist, Elastio Software
Since the advent of CryptoLocker in 2013, ransomware has become a major drain on businesses, affecting their survival. With 56% of businesses hit in the last 12 months and 42% of them losing data, early detection and prevention of lateral spread represents one of the most potent defenses against ransomware.
Ransomware enters an infrastructure as part of a payload through several entry vectors. One common route in the cloud is due to security misconfigurations and unpatched software vulnerabilities in the application chain, which allows an attacker to drop a payload on the victim system. Another is via the compromise of security tokens from IAM roles. More targeted attacks combine social engineering with spear phishing against identified targets – the recent MGM and Caesar attacks. The last few years have also seen the rise of human teams coordinating attacks on a single target to get as many lateral systems as possible. The problem is prevalent enough that it is a matter of when, not if. The average payout in the last twelve months was $2M per incident.
Average Ransom Demand By Industry
Ransomware is typically the last part of a larger malware payload, which includes backdoors and a communication path to command and control servers. The larger malware payload dwells for a period of time, during which it spreads laterally within the infrastructure to expand its foothold and leave further backdoors behind. In the last stage – the attack phase – a ransomware package is detonated, encrypting user data across multiple systems.
Dwell times have fallen considerably over the last year from over 72 days to 5 days for aggressive strains, which reflects the confluence of two factors. First, better cyber defenses have increased detection risk. Second, targeted attack teams are becoming more common, creating a larger initial beachhead and thus reducing the need to dwell longer than necessary. The loss of five days of data is an extinction-level event for many businesses.
Backups are commonly used to recover data encrypted during a ransomware attack. However, if the malware payload is not identified and neutered, restoring from backups simply reintroduces the backdoors from infected backups. This leads to persistent infections and a wide open exfiltration pathway within the infrastructure for repeated data ransom demands. A worse outcome occurs when malware has lingered long enough that backup retention policies rolled up old backups, leaving no clean backup that doesn’t have malware.
Clearly, backups alone are not enough – early detection of malware is needed to ensure that backups are clean and healthy. While air-gapped systems provide an additional layer of security, they are only as good as the data entering them – without early detection, malware can slip through to air-gapped backups as well.
Some backup systems deploy an anomaly detection engine to provide early warning of a ransomware attack. These engines look for signals in a snapshot, such as the change rate of the snapshot, to indicate suspicious behavior. More sophisticated engines look inside a backup to measure the entropy (degree of randomness) of files. Encrypted data is very close to the maximum measure of entropy and, intuitively, should stand out. It doesn’t – Microsoft PowerPoint files have similar entropy to encrypted files, as do many other common file formats. The issue here is the large rate of false positives that have to be sifted through even to know if there is an attack in progress. Worse yet is alert fatigue and subsequent alert suppression that misses critical patterns. As every security team can attest to, we want actionable intelligence, not another alert.
And this is just the tip of the iceberg – even sophisticated anomaly detection techniques are commonly defeated. Malware such as LockFile, Rook, BianLian encrypt subsets of data so the overall entropy remains small. Others, such as Xorist, AlphaLocker, Corona, do not change any file metadata, so signals such as the last modified time of a file remain unchanged and thus don’t trigger alerts. TimeTime encrypts files slowly over time to stay below activity threshold detectors. Alcatraz Locker uses simple file encoding, and Clop, Vaca, and several others skip encrypting the file header and thus require deep file inspection to identify their impact. The list of evasion techniques is long and continues to evolve.
Elastio addresses this problem through a two-pronged strategy – early detection in the spread phase to detect malware before it detonates and post attack recovery that quickly identifies affected data assets along with their last known clean copies. For early detection, Elastio’s data integrity engine scans every backup for known ransomware and malware strains with a database that updates continuously. This provides actionable threat intelligence that identifies the exact malware, the set of affected systems and its impact.
The post-attack recovery phase is focused on the inevitable conclusion that, however good, prevention techniques only have to fail once. Some fraction of ransomware will detonate, requiring post-attack recovery to get back to a clean state. Elastio uses an ensemble of behavioral analysis, deep file inspection, and deterministic models from our security lab to detect ransomware. Behavioral analysis identifies malicious files based on usage patterns, characteristics, and known indicators of malware. It uses a statistical model to group patterns of behavior in a high-dimensional space to determine if they are ransomware. This approach relies on the fact that all ransomware exhibits certain common characteristics in higher-order space that can be detected via statistical analysis of complex patterns. The model is very good at capturing large-scale behavior while retaining file-level granularity. The behavioral analysis also includes over-time analysis, where a timeline of backups is analyzed for the stability of their behavior over time at the granularity of each file. This technique is particularly important in de-obfuscating malware that doesn’t change metadata. Behavioral analysis can detect both known and unknown ransomware strains.
Deep file-level inspection performs a more thorough analysis of individual files to detect signs of ransomware. This approach examines the content and structure of files to identify any malicious activity or modifications that indicate ransomware encryption. By inspecting the actual data within files, it provides a higher level of accuracy in detecting ransomware attacks.
Over the last three years, Elastio’s security lab has analyzed over 1900 ransomware families and their variants, representing everything seen publicly since 2014. Some, such as Clop, have variants that are sufficiently evolved to be indistinguishable from their ancestors, including entirely different behaviors. Each malware payload with ransomware was disassembled, neutered from its command and control servers, detonated, and analyzed to produce behavior patterns and indicators of penetration. This enables a comprehensive evaluation of each ransomware threat and represents one of the most potent tools for post-attack application recovery. Over the last six months, Elastio’s security team has been analyzing as yet unreleased malware (in the wild), and the models are now refined enough that they can accurately detect the detonation of the vast majority of hitherto unseen ransomware.
Elastio operates in one of two modes. In scan-only mode, it invokes a snapshot or mounts backup from your existing backup system and scans it for malware and ransomware. It always keeps the last clean copy of backup around to ensure recovery in case of an attack. In the second mode, Elastio takes a snapshot and ingests it into a vault hosted within the customer VPC that is deduplicated, compressed, and encrypted. No data ever leaves a customer account, and for cost savings, the vault is backed by S3. The vault is immutable and uses a WORM model with no delete primitive. In this mode, Elastio additionally provides guaranteed recovery since it has the data and can ensure the provenance of the backup chain.
In both modes, the Elastio pipeline runs through three stages. The first stage involves a health check scan that ensures the base we are starting from has a clean bill of health that can be trusted. As each backup is taken, the malware detection engine scans it for early detection of unexploded malware in its spread phase. This stage produces actionable threat intelligence, including exact threat identification and its behavior. In the post attack stage, Elastio immediately identifies ransomware detonation and, more specifically, identifies the last clean copies of affected data, which can be restored to a sandbox for analysis. Post-attack recovery is complemented by direct support from Elastio’s security lab to unhook malware and rapidly return the infrastructure back to a clean state.
Our goal is simple: recover your applications when you need it most.
About Elastio
Elastio is the leader in Ransomware Recovery Assurance, helping enterprises prove their backups and cloud storage are always safe to recover. Our platform continuously validates backup and cloud storage integrity, detects advanced ransomware encryption that evades perimeter defenses, and guarantees a provable clean recovery point within your SLA. From AWS-native workloads to enterprise backup platforms, Elastio removes attackers’ leverage by making recovery a monitored security control.
Recover With Certainty
See how Elastio validates every backup across clouds and platforms to recover faster, cut downtime by 90%, and achieve 25x ROI.
Related Articles
GuardDuty’s release of malware scanning on AWS Backup is an important enhancement to the AWS ecosystem, reflecting growing industry recognition that inspecting backup data has become a core pillar of cyber resilience. But real-world incidents show that ransomware often leaves no malware behind, making broader detection capabilities for encryption and zero-day attacks increasingly essential. Across industries, there are countless examples of enterprises with premium security stacks in place - EDR/XDR, antivirus scanners, IAM controls - still suffering extended downtime after an attack because teams couldn’t reliably identify an uncompromised recovery point when it mattered most. That’s because ransomware increasingly employs fileless techniques, polymorphic behavior, living-off-the-land tactics, and slow, stealthy encryption. These campaigns often reach backup andreplicated copies unnoticed, putting recovery at risk at the very moment organizations dependon it. As Gartner puts it: Modern ransomware tactics bypass traditional malware scanners, meaning backups may appear ‘clean’ during scans but prove unusable when restored. Equip your recovery environment with advanced capabilities that analyze backup data using content-level analytics and data integrity validation.”— Gartner, Enhance Ransomware Cyber Resilience With A Secure Recovery Environment, 2025 This is the visibility gap Elastio was designed to close. In this post, we walk through how Elastio’s data integrity validation works alongside AWS GuardDuty to support security and infrastructure teams through threat detection all the way to recovery confidence and why integrity validation has become essential in the age of identity-based and fileless attacks. What is AWS GuardDuty? AWS GuardDuty is a managed threat detection service that continuously monitors AWS environments for malicious or suspicious activity. It analyzes signals across AWS services, including CloudTrail, VPC Flow Logs, DNS logs, and malware protection scans, and produces structured security findings. GuardDuty integrates natively with Amazon EventBridge, which means every finding can be consumed programmatically and routed to downstream systems for automated response. For this integration, we focus on GuardDuty malware findings, including: Malicious file findings in S3Malware detections in EC2 environments These findings are high-confidence triggers that indicate potential compromise and warrant immediate validation of recovery data. Learn more about GuardDuty. Why a GuardDuty Finding Should Trigger Recovery Validation Malware detection is important, but it is no longer sufficient to validate data recoverability. Identity-based attacks dominate cloud breaches Today’s attackers increasingly rely on stolen credentials rather than exploits. With valid identities, they can: Use legitimate AWS APIsAccess data without dropping malwareBlend into normal operational behavior In these scenarios, there may be nothing malicious to scan, yet encryption or tampering can still occur. Fileless and polymorphic ransomware evade signatures Many ransomware families: Run entirely in memoryContinuously mutate their payloadsAvoid writing recognizable artifacts to disk Signature-based scanners may report “clean,” even as encryption spreads. Zero-day ransomware has no signatures By definition, zero-day ransomware cannot be detected by known signatures until after it has already caused damage - often widespread damage. The result is a dangerous failure mode: backups that scan clean but restore encrypted or corrupted data. Why Integrity Validation Changes the Outcome Elastio approaches ransomware from the impact side. Instead of asking only “is malware present?”, Elastio validates: Whether encryption has occurredWhat data was impactedWhen encryption startedWhich recovery points are still safe to restore The timeline above reflects a common real-world pattern: Initial access occurs quietlyEncryption begins days or weeks laterBackups continue, unknowingly capturing encrypted dataThe attack is only discovered at ransom time Without integrity validation, teams cannot know with confidence that their backups will work when they need them. This intelligence transforms a GuardDuty finding from an alert into an actionable recovery decision. Using GuardDuty as the Trigger for Recovery Validation Elastio’s new GuardDuty integration automatically initiates data integrity scans when GuardDuty detects suspicious or malicious activity. Instead of stopping at alerts, the integration immediately answers the implied next question: Did this incident affect our data, and can we recover safely? By validating backups and recovery assets in response to GuardDuty findings, Elastio reduces response time, limits attacker leverage, and enables faster, more confident recovery decisions. Architecture Overview At a high level: GuardDuty generates a malware findingThe finding is delivered to EventBridgeEventBridge routes the event into a trusted sender EventBusElastio’s receiver EventBus accepts events only from that senderElastio processes the finding and starts a targeted scanTeams receive recovery-grade intelligenceIncluding:Ransomware detection resultsFile- and asset-level impactLast known clean recovery pointOptional forwarding to SIEM or Security Hub The critical design constraint: trusted senders Each Elastio customer has a dedicated Receiver EventBus. For security reasons, that receiver only accepts events from a single allowlisted Sender EventBus ARN. This design ensures: Strong tenant isolationNo event spoofingClear security boundaries To support scale, customers can route many GuardDuty sources (multiple accounts, regions, or security setups) into that single sender bus. Elastio enforces trust at the receiver boundary. End-to-End Flow Step 1: GuardDuty detects malware GuardDuty identifies a malicious file or suspicious activity in S3 or EC2 and emits a finding. Step 2: EventBridge routes the finding Native EventBridge integration allows customers to filter and forward only relevant findings. Step 3: Sender EventBus enforces trust All GuardDuty findings flow through the designated sender EventBus, which represents the customer’s trusted identity. Step 4: Elastio receives and buffers events The Elastio Receiver EventBus routes events into an internal queue for resilience and burst handling. Step 5: Elastio validates recovery data Elastio maps the finding to impacted assets and initiates scans that analyze both malware indicators and ransomware encryption signals. Step 6: Recovery-grade results Teams receive actionable results: Ransomware detectionFile-level impactLast known clean recovery pointOptional forwarding to SIEM or Security Hub What This Enables for Security and Recovery Teams By combining GuardDuty and Elastio, organizations gain: Faster response triggered by high-signal findingsEarly detection of ransomware encryption inside backupsReduced downtime and data lossConfidence that restores will actually workAudit-ready evidence for regulators, insurers, and leadership Supported Today S3 malware findingsEC2 malware findings EBS-specific handling is in progress and will be added as it becomes available. Why This Matters in Practice In most ransomware incidents, the challenge isn’t identifying a security signal - it’s understanding whether that signal corresponds to meaningful data impact, and what it implies for recovery. Security and infrastructure teams often find themselves piecing together information across multiple tools to assess whether encryption or corruption has reached backups or replicated data. That assessment takes time, and during that window, recovery decisions are delayed or made conservatively. By using GuardDuty findings as a trigger for integrity validation, customers introduce earlier visibility into potential data impact. When suspicious activity is detected, Elastio provides additional context around whether recovery assets show signs of encryption or corruption, and which recovery points appear viable. This doesn’t replace incident response processes or recovery testing, but it helps teams make better-informed decisions sooner, particularly in environments where fileless techniques and identity-based attacks limit the effectiveness of traditional malware scanning. Extending GuardDuty From Detection Toward Recovery Readiness GuardDuty plays a critical role in surfacing high-confidence security findings. Elastio extends that signal into the recovery domain by validating the integrity of data organizations may ultimately depend on to restore operations. Together, they help teams bridge the gap between knowing an incident may have occurred and assessing recovery readiness, with supporting evidence that can be shared across security, infrastructure, and leadership teams. For organizations already using GuardDuty, this integration provides a practical way to connect detection workflows with recovery validation without changing existing security controls or response ownership. Watch our discussion: Understanding Elastio & AWS GuardDuty Malware Scanning for AWS Backup An open conversation designed to answer customer questions directly and help teams understand how these technologies work together to strengthen recovery posture. How signature-based malware detection compares to data integrity validationReal-world scenarios where behavioral and encryption-based detection mattersHow Elastio extends visibility, detection, and recovery assurance across AWS, Azure, and on-prem environmentsAn early look at Elastio’s new integration launching at AWS re:Invent
Hunting and Defeating EDR-Evading Threats and Machine-Identity Attacks As enterprises accelerate cloud transformation, containerization, AI adoption, microservices, and automation, a subtle yet profound shift is reshaping the cyber threat landscape. Traditional endpoint-based detection approaches are no longer sufficient. Attackers are increasingly evading EDR, while simultaneously exploiting a rapidly expanding universe of machine identities such as service accounts, certificates, API keys, and ephemeral workload tokens. This creates a new, invisible attack surface that is often unmonitored, ungoverned, and misunderstood. To defend effectively, organizations must evolve. The new model brings together endpoint awareness, identity intelligence, and data-layer resilience to expose threats that would otherwise remain invisible. The EDR Blind Spot Is Widening Endpoint Detection and Response has been the backbone of enterprise defense. But adversaries have learned to systematically bypass it through techniques that interfere with telemetry, suppress alerts, operate from memory, or shift their activity into systems or layers where EDR agents cannot run. Some threat groups have deployed tooling that disables endpoint monitoring components entirely, allowing operations to continue with little or no visibility for defenders. At the same time, many critical infrastructure components do not support EDR at all. Hypervisors, storage appliances, virtual machine management systems, and specialized cloud services often sit outside traditional endpoint protections. Attackers increasingly target these layers because activity there blends in with normal operations and rarely triggers alarms. As a result, relying solely on endpoint-centric detection creates blind spots that grow wider as modern infrastructure becomes more distributed. The Explosion of Machine Identities and the Risks They Introduce While EDR evasion grows more sophisticated, another trend has emerged in parallel: the exponential rise of machine identities. These are non-human actors created by automation pipelines, containers, microservices, serverless functions, AI agents, DevOps tooling, and cloud services. Machine identities now outnumber human identities in most cloud-forward enterprises by enormous margins. They often carry privileged permissions, access sensitive data paths, or control critical infrastructure functions. Unlike human accounts, these identities rarely follow standardized onboarding, governance, audit, or lifecycle processes. Many are short-lived, created and destroyed automatically, leaving gaps in visibility. Others live far longer than intended because no one realizes they still exist. Attackers increasingly target these identities because compromising one can grant immediate and legitimate access to high-value systems or data. The activity of a hijacked machine identity blends in naturally with expected automation patterns, making detection difficult. In many cases, the identity itself becomes the persistence mechanism. Identity Becomes the New Perimeter These dynamics undermine a core assumption behind many security architectures: that identity governance is equivalent to human access control. In cloud-native enterprises, identity is now as much about workloads as it is about people. When machine identities are not continuously monitored, governed, and validated, they become powerful tools for stealthy lateral movement or data manipulation. This means identity has truly become the perimeter. But it is a perimeter that cannot be secured solely with human-centric tools. The Data Layer Is Where Invisible Threats Finally Become Visible Machine identities interact with data continuously. They create snapshots, move objects across storage tiers, generate logs, trigger analytics pipelines, replicate datasets, and run unattended processes. If one of these identities is compromised, the first signs of malicious activity often appear in the data layer itself. Unauthorized reads, unexpected modifications, corruption of snapshots, tampered metadata, irregular replication events, or the introduction of malicious content are often the earliest and most reliable indicators of attack. By the time endpoint or identity systems raise alerts, the attacker may have already altered data across multiple systems. This is why modern cyber resilience depends on the ability to continuously verify the integrity, security, and recoverability of data itself. A Modern Defense Model Addressing these emerging threats requires a multi-layered approach that blends identity, workload, and data-centric controls. First, all machine identities must be governed with the same rigor as human identities. This means complete inventory, lifecycle management, least-privilege enforcement, short-lived credential use, and continuous monitoring of identity behavior.Second, detection must expand beyond endpoints. Organizations need visibility into identity issuance, API usage, workload behavior, cloud control-plane activity, and infrastructure components that do not support traditional EDR.Third, data integrity must be continuously validated. Snapshots, backups, object data, and replicated datasets must be automatically and regularly inspected. Any unauthorized change or anomaly should be treated as a leading indicator of potential compromise.Fourth, Zero Trust principles must be deeply embedded in the machine and data layers. Verification is no longer only about authenticating a user. It is about verifying the legitimacy of every process, every identity, and every piece of data flowing through the enterprise. Why This Approach Is Strategic Adversaries are adapting quickly. They no longer need to compromise a human identity or bypass every endpoint. They can operate quietly within automation systems, exploit permissions given to machine identities, or target data itself as the first point of manipulation. By addressing machine identity governance and data integrity together, organizations reduce the inherent weaknesses of endpoint-only detection. They gain a defensive architecture that detects threats earlier, responds more effectively, and ensures business continuity even under active attack. The combination of EDR evasion and machine-identity exploitation represents one of the most significant emerging risks to modern enterprises. Attackers are learning to operate invisibly, bypassing traditional controls and embedding themselves in the automation and data layers where detection is weakest. To win in this environment, security teams must shift their mindset. They must unmask the invisible by looking where attackers now hide: in identities, in the control plane, and in the data itself. They must verify continuously, trust nothing implicitly, and safeguard the integrity of the information the business depends on. This is how modern organizations stay resilient. It is how they transform uncertainty into strength. And it is how they defeat adversaries who no longer need to be seen to be dangerous. This is the gap Elastio is built to close. Schedule a review. 3 Key Takeaways EDR alone leaves growing visibility gapsMachine identities are the new attack surfaceData integrity becomes the ultimate detection layer
AI-Ready & Ransomware-Proof FSx for NetApp ONTAP Amazon FSx for NetApp ONTAP (FSxN) has become the gold standard for high-performance cloud storage, combining the agility of AWS with the data management power of NetApp. Today, this infrastructure is more critical than ever. As unstructured data volumes explode and enterprises race to feed Generative AI models, FSxN has evolved into the engine room for innovation. It holds the massive datasets that fuel your AI insights and drive business logic. You cannot build trusted AI on unverified data FSxN delivers the trusted, high-performance platform your enterprise relies on. But true trust requires more than uptime—it requires integrity. As enterprise architectures evolve, so do the threats targeting them. The sheer scale of unstructured data creates a massive blind spot where ransomware can hide, silently corrupting data over weeks. If the data residing on your trusted storage is compromised, your AI models are being trained on poisoned assets. The Imperative: Verified Data for Trusted AI Today, Elastio is introducing comprehensive Ransomware Recovery Assurance for Amazon FSx for NetApp ONTAP. We now provide a layered defense that validates the integrity of the data within your primary volumes, SnapMirror replicas, and AWS Backups, ensuring that your storage is not just available, but provably clean. The Three-Tier Defense for FSxN To understand where Elastio fits, we must look at the modern FSxN protection architecture. A resilient implementation typically relies on three layers : Primary Filer: Your active, high-performance workload.SnapMirror Replica: A near-real-time, read-only copy used for disaster recovery with low RPOs (e.g., 5 minutes).AWS Backup: A daily recovery point for long-term retention and compliance. Until now, verified recoverability across these layers was a blind spot. Elastio eliminates that uncertainty by integrating with the entire chain to validate data integrity before a crisis occurs. The Risk of Silent Corruption Ransomware attacks frequently begin subtly, bypassing perimeter defenses and modifying data blocks without triggering immediate alerts. If these corrupted blocks are replicated to your SnapMirror destination or archived into your AWS Backup vault, you aren't preserving your business—you are preserving the attack. Just having backups is not enough. To ensure resilience, you must answer three questions about your recovery points : Are they safe?Are they intact?Are they recoverable? Introducing Elastio Recovery Assurance for FSxN Elastio delivers agentless, automated verification for FSxN environments. Our platform connects to your infrastructure to perform deep-file inspection, providing : Behavioral Ransomware Detection: We identify encryption patterns that signature-based tools miss, including slow-rolling and obfuscated encryption.Insider Threat Detection: We detect malicious tampering or unauthorized encryption driven by compromised credentials.Corruption Validation: We identify unexpected data corruption that could render a backup unusable during a restore. This coverage spans the entire lifecycle. Elastio scans your SnapMirror replicas for immediate RPO validation and utilizes AWS Restore Testing to validate your AWS Backups without rehydrating production data. Complementing NetApp’s Native Defenses Elastio is designed to work with your existing security stack, not replace it. NetApp’s native Autonomous Ransomware Protection (ARP) is an excellent first line of defense, monitoring your production environment for suspicious activity in real-time. Elastio complements ARP by operating beyond the production path. We focus on the recovery chain, performing deep-dive analysis on your backups and replicas. If ARP flags a potential threat in production, Elastio allows you to instantly identify which historical recovery point is clean, verifiable, and safe to restore . Compliance: From "Prevention" to "Proof" Regulatory pressure is shifting. Frameworks like DORA, NYDFS, HIPAA, and PCI-DSS are moving away from simple backup retention mandates toward requirements for demonstrable recovery integrity. Auditors and cyber insurers no longer accept "we have backups" as an answer. They require proof that those backups can be restored. Elastio automates this reporting, providing a validated inventory of clean snapshots that satisfies the most stringent compliance and risk requirements. Recommended Architecture for Provable Recovery To achieve maximum resilience with FSxN, we recommend the following layered approach : Replicate: Use SnapMirror to maintain a secondary copy with a 5-minute RPO.Retain: Use AWS Backup to enforce retention policies.Validate:Run Elastio Hourly Scans on SnapMirror replicas to catch infection early.Run Elastio Restore Tests monthly on AWS Backups to verify your vault. Conclusion In the current threat landscape, ransomware is not a matter of if, but when. Your data is only protected if it can be recovered. With Elastio’s new support for Amazon FSx for NetApp ONTAP, you can move beyond checking a backup box and gain true recovery assurance. In just minutes per TB, you will know if your data is clean or compromised, and be ready to recover with confidence. 3 Key Takeaways AI Integrity Requires Clean Data As FSxN drives generative AI and unstructured data growth, silent corruption becomes a critical risk. Elastio prevents "poisoned" datasets by detecting corruption inside the storage layer.End-to-End Validation Elastio secures the entire FSxN lifecycle, providing deep inspection and clean recovery verification for primary volumes, SnapMirror replicas, and AWS Backups.The "Production and Recovery" Defense Elastio operates outside the production path to complement NetApp’s Autonomous Ransomware Protection (ARP), validating snapshots to ensure you always have a safe place to restore from.