Skip to main content

Learn about ONTAP Autonomous Ransomware Protection

Contributors netapp-dbagwell netapp-ahibbard netapp-aaron-holt netapp-aherbin netapp-forry netapp-adlove pixelchrome netapp-thomi netapp-barbe

Beginning with ONTAP 9.10.1, ONTAP administrators can enable Autonomous Ransomware Protection (ARP) to perform workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack. Beginning with ONTAP 9.17.1, ARP also supports block-device volumes, including SAN volumes containing LUNs, or NAS volume containing virtual disks from hypervisors such as VMware, Hyper-V, and KVM.

ARP is built directly into ONTAP, ensuring integrated control and coordination with ONTAP's other features. ARP operates in real-time, processing data as it's written to or read from the file system, and detecting and responding to potential ransomware attacks quickly.

ARP creates locked snapshots at regular intervals alongside scheduled ones for added protection. It smartly manages snapshot retention duration. If no unusual activity is detected, snapshots are quickly recycled. However, if an attack is detected, a snapshot created before the start of an attack is kept for an extended period.

Licenses and enablement

ARP support is included with the ONTAP ONE license. If you do not have the ONTAP One license, other licenses are available for ARP use that differ depending on your version of ONTAP.

ONTAP releases License

ONTAP 9.11.1 and later

Anti_ransomware

ONTAP 9.10.1

MT_EK_MGMT (Multi-Tenant Key Management)

  • If you are upgrading from ONTAP 9.10.1 to ONTAP 9.11.1 or later and ARP is already configured on your system, you do not need to install the new Anti-ransomware license. For new ARP configurations, the new license is required.

  • If you are reverting from ONTAP 9.11.1 or later to ONTAP 9.10.1, and you have enabled ARP with the Anti_ransomware license, you will see a warning message and might need to reconfigure ARP. Learn about reverting ARP.

ONTAP ransomware protection strategy

An effective ransomware detection strategy should include more than a single layer of protection.

An analogy would be the safety features of a vehicle. You don't rely on a single feature, such as a seatbelt, to completely protect you in an accident. Air bags, anti-lock brakes, and forward-collision warning are all additional safety features that will lead to a much better outcome. Ransomware protection should be viewed in the same way.

While ONTAP includes features like FPolicy, snapshots, SnapLock, and Active IQ Digital Advisor (also known as Digital Advisor) to help protect from ransomware, the following information focuses on the ARP feature with machine learning capabilities.

To learn more about other features in the NetApp portfolio that safeguard against ransomware, see Ransomware and NetApp's protection portfolio.

What ARP detects

ONTAP ARP is designed to protect against denial-of-service attacks where the attacker withholds data until a ransom is paid. ARP offers real-time ransomware detection based on the following:

  • Identification of incoming data as either encrypted or plain text.

  • Analytics that detect:

    • Entropy: (Used in NAS and SAN) An evaluation of the randomness of data in a file

    • File extension types: (Used in NAS only) A file extension that does not conform to expected extension types

    • File IOPS: (Used in NAS only beginning with ONTAP 9.11.1) A surge in abnormal volume activity with data encryption

ARP detects the spread of most ransomware attacks after only a small number of files are encrypted, responds automatically to protect data, and alerts you that a suspected attack is happening.

Note No ransomware detection or prevention system can completely guarantee safety from a ransomware attack. Although it's possible an attack might go undetected, ARP acts as an important additional layer of defense if anti-virus software has failed to detect an intrusion.

Learn about ARP modes

After ARP is turned on for a volume, it progresses through two distinct modes. ARP uses a learning or evaluation period to establish a baseline of normal workload behavior. During that period, ARP analyzes system metrics to develop an alert profile before enabling active protection. After ARP transitions to an active detection mode, it begins monitoring abnormal activity in real time, automatically taking protective actions and generating alerts if abnormal behavior is detected.

For ARP, the learning mode and active mode behaviors differ by ONTAP version, volume type, and protocol (NAS or SAN).

NAS environments and mode types

NAS environments use learning and active modes. For ARP/AI running in NAS environments beginning in ONTAP 9.16.1, there is no learning period when ARP is used with FlexVol volumes.

The following table summarizes the differences between ONTAP 9.10.1 and later versions for NAS environments.

Mode Description Volume types and versions

Learning

For ONTAP 9.15.1 to 9.10.1, ARP is automatically set to learning mode when you enable ARP. In learning mode, the ONTAP system develops an alert profile based on the analytic areas: entropy, file extension types, and file IOPS. It's recommended that you leave ARP in learning mode for 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning interval and automates the switch, which might occur before 30 days. For versions earlier than ONTAP 9.13.1, you can make the switch manually.

Tip The command security anti-ransomware volume workload-behavior show shows file extensions that have been detected in the volume. If you run this command early in learning mode and it shows an accurate representation of file types, you should not use that data as a basis to move to active mode, as ONTAP is still collecting other metrics. Learn more about security anti-ransomware volume workload-behavior show in the ONTAP command reference.
  • FlexVol volumes with ONTAP 9.15.1 to 9.10.1

  • FlexGroup volumes with ONTAP 9.13.1 and later

Active

After running ARP in learning mode for enough time to assess workload characteristics, you can switch to active mode and start protecting your data. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning interval and automates the switch, which might occur before 30 days.

With ONTAP 9.10.1 to 9.15.1, ARP switches to active mode after the optimal learning period is completed. After ARP has switched to active mode, ONTAP creates ARP snapshots to protect the data if a threat is detected.

In active mode, if a file extension is flagged as abnormal, you should evaluate the alert. You can act on the alert to protect your data, or you can mark the alert as a false positive. Marking an alert as a false positive updates the alert profile. For example, if the alert is triggered by a new file extension and you mark the alert as a false positive, you will not receive an alert the next time that the file extension is observed.

All supported ONTAP versions and FlexVol and FlexGroup volumes

SAN environments and mode types

SAN environments use evaluation periods (similar to learning modes in NAS environments) before transitioning to active detection automatically. The following table summarizes evaluation and active modes.

Mode Description Volume types and versions

Evaluation

A two- to four-week evaluation period is performed to determine baseline encryption behavior. You can determine if the evaluation period is complete by running the security anti-ransomware volume show command and checking Block device detection status.

  • FlexVol volumes with ONTAP 9.17.1 and later

Active

After the evaluation period, you can determine if the ARP SAN protection is active by running the security anti-ransomware volume show command and checking Block device detection status. A status of Active_suitable_workload indicates that the evaluated amount of entropy can be successfully monitored. ARP automatically adjusts the adaptive threshold according to data reviewed during the evaluation.

  • FlexVol volumes with ONTAP 9.17.1 and later

Threat assessment and ARP snapshots

ARP assesses threat probability based on incoming data measured against learned analytics. When ARP detects an abnormality, a measurement is assigned. A snapshot might be assigned at the time of detection or at regular intervals.

ARP thresholds

  • Low: The earliest detection of an abnormality in the volume (for example, a new file extension is observed in the volume). This level of detection is only available in versions prior to ONTAP 9.16.1 that do not have ARP/AI.

  • Moderate: High entropy is detected or multiple files with the same never-seen-before file extension are observed. This is the baseline detection level in ONTAP 9.16.1 and later with ARP/AI.

The threat escalates to moderate after ONTAP runs an analytics report determining if the abnormality matches a ransomware profile. When the attack probability is moderate, ONTAP generates an EMS notification prompting you to assess the threat. ONTAP does not send alerts about low threats; however, beginning with ONTAP 9.14.1, you can modify default alert settings. For more information, see Respond to abnormal activity.

You can view information about moderate threats in System Manager's Events section or with the security anti-ransomware volume show command. Low threat events can also be viewed using the security anti-ransomware volume show command in versions prior to ONTAP 9.16.1 that do not have ARP/AI. Learn more about security anti-ransomware volume show in the ONTAP command reference.

ARP snapshots

In ONTAP 9.16.1 and earlier, ARP creates a snapshot when early signs of an attack are detected. A detailed analysis is then conducted to confirm or dismiss the potential attack. Because ARP snapshots are created proactively, even before an attack is fully confirmed, they might also be generated at regular intervals for certain legitimate applications. The presence of these snapshots should not be regarded as an anomaly. If an attack is confirmed, the attack probability is escalated to Moderate, and an attack notification is generated.

Beginning with ONTAP 9.17.1, ARP snapshots are generated at regular intervals for both NAS and SAN volumes. ONTAP prepends a name to the ARP snapshot to make it easily identifiable.

Beginning with ONTAP 9.11.1, you can modify the retention settings. For more information, see Modify options for snapshots.

The following table summarizes ARP snapshot differences between ONTAP 9.16.1 and earlier and ONTAP 9.17.1.

Feature ONTAP 9.16.1 and earlier ONTAP 9.17.1 and later

Creation trigger

  • High entropy is detected

  • A new file extension is detected (9.15.1 and earlier)

  • A surge of file operations is detected (9.15.1 and earlier)

Snapshot creation interval is based on trigger type.

Snapshots are created at fixed 4-hour intervals, regardless of any specific trigger, and are not necessarily indicative of an attack.

Prepended name convention

"Anti_ransomware_backup"

"Anti_ransomware_periodic_backup"

Deletion behavior

ARP snapshot is locked and cannot be deleted by the administrator

ARP snapshot is locked and cannot be deleted by the administrator

Maximum snapshot count

Six snapshot configurable limit

Six snapshot configurable limit

Retention period

  • Determined based on trigger conditions (not fixed)

  • Snapshots created before the attack are retained until administrator marks the attack as true or a false positive (clear-suspect).

Snapshots are normally retained for 12 hours.

  • NAS volumes: If an attack is confirmed by file-analysis, snapshots created before the attack are retained until the administrator marks the attack as true or a false positive (clear-suspect).

  • SAN volume or VM datastores: If an attack is confirmed by block-entropy analysis, snapshots created before the attack are retained for 10 days (configurable).

    The retention period of a snapshot created before the onset of an attack is extended to 10 days (configurable).

Clear-suspect action

Administrators can perform a clear-suspect action which sets retention based on confirmation:

  • 24 hours for false-positive retention

  • 7 days for true-positive retention

This precautionary retention behavior doesn't exist earlier than ONTAP 9.16.1

Administrators can perform a clear-suspect action which sets retention based on confirmation:

  • 24 hours for false-positive retention

  • 7 days for true-positive retention

Expiration time

None

An expiration time is set for all snapshots

How to recover data in ONTAP after a ransomware attack

ARP builds on proven ONTAP data protection and disaster recovery technology to respond to ransomware attacks. ARP creates locked snapshots when early signs of an attack are detected in ONTAP 9.16.1 and earlier or at regular intervals in 9.17.1 and later. You'll need to first confirm whether the attack is real or a false positive. If you confirm the attack, the volume can be restored using the ARP snapshot.

Locked snapshots cannot be deleted by normal means. However, if you decide later to mark the attack as a false positive, the locked copy will be deleted.

With the knowledge of the affected files and the time of attack, it is possible to selectively recover the affected files from various snapshots rather than simply reverting the whole volume to one of the snapshots.

See the following topics for more information on responding to an attack and recovering data:

Multi-admin verification protection for ARP

Beginning with ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see Enable multi-admin verification.

Autonomous Ransomware Protection with Artificial Intelligence (ARP/AI)

Beginning with ONTAP 9.16.1, ARP improves cyber resiliency by adopting a machine-learning model for anti-ransomware analytics that detects constantly evolving forms of ransomware with 99% accuracy in NAS environments. ARP's machine-learning model is pre-trained on a large dataset of files both before and after a simulated ransomware attack. This resource-intensive training is done outside ONTAP using open-source forensic research datasets to train the model. Customer data is not used throughout the entire modelling pipeline and privacy issues do not exist. The pre-trained model that results from this training is included on-box with ONTAP. This model is not accessible or modifiable through the ONTAP CLI or ONTAP API.

Immediate transition to active protection for ARP/AI with FlexVol volumes

With ARP/AI and FlexVol volumes, there is no learning period. ARP/AI is enabled and active immediately after installation or upgrade to 9.16. After upgrading your cluster to ONTAP 9.16.1, ARP/AI will be automatically enabled for existing and new FlexVol volumes if ARP is already enabled for those volumes.

ARP/AI automatic updates

To keep up-to-date protection against the latest ransomware threats, ARP/AI offers frequent automatic updates that occur outside of regular ONTAP upgrade and release cadences. If you have enabled automatic updates then you will also be able to start receiving automatic security updates to ARP/AI after you select automatic updates for security files. You can also choose to make these updates manually and control when the updates occur.

Beginning with ONTAP 9.16.1, security updates for ARP/AI are available using System Manager in addition to system and firmware updates.

Related information