The security breach involved two actions: data encryption (a modification action) and the deletion of Snapshot copies (a destructive administrative action).

SnapLock (A) is NetApp's Write-Once, Read-Many (WORM) technology. By placing data in a SnapLock volume, it becomes immutable and cannot be encrypted, modified, or deleted until a predefined retention period expires. This directly prevents the data encryption aspect of the attack and can also be used to make Snapshot copies undeletable.

Multi-admin verification (MAV) (D) protects against malicious or accidental administrative actions. It requires a quorum of designated administrators to approve sensitive operations, such as deleting a volume or Snapshot copies. This would have prevented a single compromised account from deleting the recovery points.

B. Data Lock: This is not a standard NetApp ONTAP feature name. SnapLock is the correct term for NetApp's WORM data protection technology.

C. Snapshot technology: The scenario explicitly states that the existing Snapshot copies were deleted. While essential for recovery, standard Snapshot technology alone does not protect the copies from deletion by a compromised administrator.

1. NetApp Technical Report 4572, "SnapLock and Ransomware Protection," Page 4: "SnapLock is NetApp’s data permanence software solution that provides a write once, read many (WORM) capability for data stored on NetApp storage systems... Once committed to WORM, the data cannot be altered or deleted until the retention period has expired." This document explicitly details how SnapLock's immutability directly counters ransomware's ability to encrypt or delete data and backups.

2. NetApp ONTAP 9.13.1 Documentation, "Overview of multi-admin verification": "Multi-admin verification adds an extra layer of security by requiring that some ONTAP operations be approved by multiple administrators... For example, you can require that the deletion of a volume or a LUN be approved by other cluster administrators before the operation is performed." This source confirms MAV's role in preventing unauthorized deletion of resources like Snapshot copies.

3. NetApp Product Documentation, "Protect against ransomware with ONTAP," Section: "Protecting against rogue administrators": "NetApp multi-admin verification (MAV) protects against rogue administrators by requiring multiple approvers for critical operations like deleting Snapshot copies or volumes." This directly links MAV to the protection of Snapshot copies, as described in the question.