Ransomware threats are evolving quickly, becoming more sophisticated and disruptive. Traditional security measures often fail to protect critical data assets. NetApp ONTAP storage provides built-in security features that proactively safeguard data. If a security breach occurs, ONTAP delivers real-time alerts and rapid recovery options to reduce downtime and limit data loss. ONTAP enables customers to protect, recover, and move their data and applications, strengthening ransomware resilience.

Early detection of ransomware in VMware environments is critical to stopping its spread and minimizing downtime. An effective strategy uses multiple layers of protection across ESXi hosts and guest virtual machines. While many security controls help build a strong defense, NetApp ONTAP adds essential storage-level safeguards that further strengthen protection.

Key ONTAP features include Snapshot technology for point-in-time recovery, Autonomous Ransomware Protection (ARP) powered by built-in machine learning, multi-admin verify and tamperproof snapshots that preserve data integrity. These capabilities work together to enhance ransomware resilience and enable rapid recovery when needed.

Securing vSphere environments and guest virtual machines requires a comprehensive approach. Key measures include network segmentation, deploying EDR/XDR/SIEM solutions for endpoint monitoring, applying timely security updates, and following established hardening guidelines. Each VM typically runs a standard operating system, making it critical to install and regularly update enterprise-grade anti-malware solutions as part of a multi-layered ransomware defense strategy.

ONTAP strengthens data protection with multiple layers of defense. Key features include Snapshots, Autonomous Ransomware Protection (ARP), tamper-proof snapshots, multi-admin verification, and more. This document focuses on the enhancements to ARP introduced in version 9.17.1.

You can enable ARP on NAS or SAN volumes that support VMware datastores. ARP uses ONTAP’s built-in machine learning to monitor workload patterns and data entropy, automatically detect signs of ransomware activity, and provide an intelligent, proactive layer of security. Configure ARP per volume using ONTAP’s CLI or System Manager interface.

Starting with ONTAP version 9.10.1, ARP is available for an existing volume or a new volume. In ONTAP version 9.16.1, you can enable ARP using System Manager or the CLI. ARP/AI protection becomes active immediately, with no learning period required. In version 9.17.1, ARP supports SAN volumes. When you enable ARP on a SAN volume, ARP/AI continuously monitors data during an evaluation period to determine workload suitability and set the optimal encryption threshold for detection.

ARP is built into ONTAP, providing integrated control and coordination with other ONTAP features. ARP works in real time, processing data as it is written or read, and quickly detects and responds to potential ransomware attacks. It creates locked snapshots at regular intervals alongside scheduled ones, and intelligently manages snapshot retention by recycling them when no anomalies are detected. If ARP detects suspicious activity, it preserves a snapshot taken before the attack for an extended period to ensure a reliable recovery point.

For more details, see What ARP detects.

Learn how to enable NetApp ONTAP Autonomous Ransomware Protection (ARP) on NAS and SAN volumes used for VMware datastores, and simulate ransomware attacks to see how ARP detects threats and facilitates rapid recovery.

When ARP is enabled on a NAS volume using System Manager or the CLI, ARP/AI protection is enabled and active immediately. No learning period is required.

In this example, simulation is triggered using a script to modify the files or by modifying the file extension to simulate an attack within a VM residing on the NFS volume that is attached as datastore to vCenter.

As shown below, ARP detected the abnormal activity.

ARP detects the attack early and enables data recovery from snapshots taken close to the attack time. To rollback, use ARP periodic snapshot that was generated before the incident was triggered. And the screenshot below shows the snapshots created:

For detailed guidance to enable ARP on NFS volumes that serve as datastores and recover in the event of an attack, refer ARP for NFS storage.

When ARP is enabled on a SAN volume, it begins with an evaluation phase, similar to the learning mode used in NAS environments before automatically transitioning into active detection.

ARP initiates a two to four week evaluation period with a threshold of 75% to establish a baseline for encryption behaviour. Progress during this phase can be monitored using the security anti-ransomware volume show command by checking the Block device detection status. After the evaluation completes, a status of Active_suitable_workload confirms that the observed entropy levels are suitable for ongoing monitoring. Based on the data collected, ARP automatically adjusts its adaptive threshold to ensure accurate and responsive threat detection. Depending on the requirement, the snap creation interval can be changed from the default 4h to 1h. Exercise this modification with caution.

Beginning with ONTAP 9.17.1, ARP snapshots are generated at regular intervals for both NAS and SAN volumes.

For detailed information, refer SAN environments and mode types

It’s time to simulate an attack. For demonstration purposes, files are encrypted within a virtual machine running on ISCSI based datastore. Nearly 7000 files are generated which is unfortunately affected by ransomware attack.

Within 10 mins, abnormal activity was detected on the volume based on the high entropy data and ARP generates a threat alert as it detected an entropy anomaly inside the VM.

Once the attack is confirmed based on the steps covered above, use one of the ARP snapshots or another snapshot of the volume to restore the data.

Once restored, the files are all recovered.

For detailed guidance, see Restore data from ARP snapshot after a ransomware attack

With just a few clicks, businesses can seamlessly enhance their data protection strategy. Powered by advanced machine learning-based detection mechanisms, ONTAP introduces a powerful layer of defense in VMware environments. This intelligent protection not only identifies threats early but also helps mitigate potential damage before it escalates.

This use case applies to more than just VMware. You can extend the same principles to any NAS or SAN-based application to build a multi-layered security architecture. Attackers are forced to navigate through several fortified layers, significantly reducing the risk of successful breaches.

ONTAP doesn't just protect data—it empowers organizations to stay resilient in the face of evolving threats.