Learn about ONTAP Autonomous Ransomware Protection
Suggest changes
PDFs
Beginning with ONTAP 9.10.1, ONTAP administrators can enable Autonomous Ransomware Protection (ARP) to perform workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack. Beginning with ONTAP 9.17.1, ARP also supports block-device volumes, including SAN volumes containing LUNs or NVMe namespaces, or NAS volumes containing virtual disks from hypervisors such as VMware.
ARP is built directly into ONTAP, ensuring integrated control and coordination with ONTAP's other features. ARP operates in real-time, processing data as it's written to or read from the file system, and detecting and responding to potential ransomware attacks quickly.
ARP creates locked snapshots at regular intervals alongside scheduled ones for added protection. It smartly manages how long snapshots are kept. If no unusual activity is detected, snapshots are quickly recycled. However, if an attack is detected, a snapshot created before the start of an attack is kept for an extended period. For more information, including changes added by ONTAP version, see ARP snapshots.
Licenses and enablement
You need a license to use ARP. Decide whether to enable ARP by default on new volumes or enable it manually per volume.
License options for ARP
ARP support is included with the ONTAP One license. If you do not have the ONTAP One license, other licenses are available for ARP use that differ depending on your version of ONTAP.
| ONTAP releases | License |
|---|---|
ONTAP 9.11.1 and later |
|
ONTAP 9.10.1 |
|
-
If you are upgrading from ONTAP 9.10.1 to ONTAP 9.11.1 or later and ARP is already configured on your system, you do not need to install the new
Anti-ransomwarelicense. For new ARP configurations, the new license is required. -
If you are reverting from ONTAP 9.11.1 or later to ONTAP 9.10.1, and you have enabled ARP with the Anti_ransomware license, you will see a warning message and might need to reconfigure ARP. Learn about reverting ARP.
Enablement options for ARP
ARP provides flexible enablement options at the cluster, SVM, and volume levels, allowing you to configure automatic default enablement for new volumes or enable ARP manually on existing volumes as needed.
Beginning with ONTAP 9.18.1, ARP is enabled by default automatically on all new volumes for AFF A series and AFF C series, ASA, and ASA r2 systems. This automatic default ARP enablement does not apply to unsupported volumes or configurations.
ARP default enablement on new volumes goes into effect after a 12-hour grace period following an upgrade or immediately for a new ONTAP 9.18.1 installation, provided that an ARP license is installed in either case. You must enable ARP manually on existing volumes.
During the grace period, you can opt out of default enablement for new volumes at the cluster level using System Manager or the ONTAP CLI. If you do not opt out, ARP is automatically enabled for all new volumes created after the end of the grace period. If needs change after the grace period, you also have the flexibility to turn on or turn off default enablement at any time.
If you disabled automatic default enablement of ARP at the cluster level, you can also choose to manually enable ARP by default on all new volumes at the SVM level. For ONTAP 9.17.1 and earlier, this is the only way to configure ARP to be enabled by default on new volumes.
Beginning with 9.18.1, you can manually enable ARP on all existing volumes from the cluster level (select Cluster > Security and 
in the Anti-ransomware section then select Enable on all existing volumes).
If you'd prefer to limit ARP enablement to a specific volume, you can enable ARP on a per-volume basis.
ONTAP ransomware protection strategy
Effective ransomware protection requires many layers of protection working together.
While ONTAP includes features like FPolicy, snapshots, SnapLock, and Active IQ Digital Advisor (also known as Digital Advisor) to help protect from ransomware, ARP provides an additional layer of defense.
To learn more about other features in the NetApp portfolio that safeguard against ransomware, see:
What ARP detects
ONTAP ARP is designed to protect against denial-of-service attacks where the attacker withholds data until a ransom is paid. ARP offers real-time ransomware detection based on the following:
-
Identification of incoming data as either encrypted or plain text.
-
Analytics that detect:
-
Entropy: (Used in NAS and SAN) An evaluation of the randomness of data in a file
-
File extension types: (Used in NAS only) A file extension that does not conform to expected extension types
-
File IOPS: (Used in NAS only beginning with ONTAP 9.11.1) A surge in abnormal volume activity with data encryption
-
ARP detects the spread of most ransomware attacks after only a small number of files are encrypted, responds automatically to protect data, and alerts you that a suspected attack is happening.
|
No ransomware detection system can guarantee complete safety. ARP provides an extra layer of defense if anti-virus software fails to detect an intrusion. |
Learn about ARP modes
After ARP is enabled for a volume, it enters a learning period to establish a baseline. ARP analyzes system metrics to develop an alert profile before transitioning to active detection mode. In active mode, ARP monitors abnormal activity, taking protective actions and generating alerts if it detects abnormal behavior.
For ARP, the learning mode and active mode behaviors differ by ONTAP version, volume type, and protocol (NAS or SAN).
NAS environments and mode types
The following table summarizes the differences between ONTAP 9.10.1 and later versions for NAS environments.
In versions with the earlier ARP model, a learning period is recommended before active monitoring begins. For NAS environments that support ARP/AI, there is no learning period and active monitoring begins immediately.
| Mode | Description | Volume types and versions | ||
|---|---|---|---|---|
Learning |
For certain versions of ONTAP and certain volume types, ARP is automatically set to learning mode when you enable ARP. In learning mode, the ONTAP system develops an alert profile based on the analytic areas: entropy, file extension types, and file IOPS. It's recommended that you leave ARP in learning mode for 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning interval and automates the switch, which might occur before 30 days. For versions earlier than ONTAP 9.13.1, you can make the switch manually. Beginning with ONTAP 9.16.1 for FlexVol volumes, only active mode exists and learning mode is transitioned automatically to active mode for any FlexVol volumes upgraded to this version or later. For ONTAP 9.16.1 to 9.17.1, FlexGroup volumes are not yet supported by ARP/AI and continue to run the older ARP model. Because of this, a learning period is still recommended for these versions with FlexGroup volumes. Beginning with ONTAP 9.18.1, only active mode exists for both FlexVol and FlexGroup volumes. Any upgraded volumes are transitioned to active mode automatically.
|
|
||
Active |
In active mode, if a file extension is flagged as abnormal, you should evaluate the alert. You can act on the alert to protect your data, or you can mark the alert as a false positive. Marking an alert as a false positive updates the alert profile. For example, if the alert is triggered by a new file extension and you mark the alert as a false positive, you will not receive an alert the next time that the file extension is observed. |
All supported ONTAP versions and FlexVol and FlexGroup volumes |
SAN environments and mode types
SAN environments use evaluation periods (similar to learning modes in NAS environments) before transitioning to active detection automatically. The following table summarizes evaluation and active modes.
| Mode | Description | Volume types and versions |
|---|---|---|
Evaluation |
A two- to four-week evaluation period is performed to determine baseline encryption behavior while ARP/AI provides immediate active protection for SAN volumes during the evaluation period. Detection and alerts can occur while baseline thresholds are being established. You can determine if the evaluation period is complete by running the |
|
Active |
After the evaluation period, you can determine if the ARP SAN protection is active by running the |
|
Threat assessment and ARP snapshots
ARP assesses threat probability based on incoming data measured against learned analytics. When ARP detects an abnormality, a measurement is assigned. ARP might assign a snapshot at the time of detection or at regular intervals.
ARP thresholds
-
Low: The earliest detection of an abnormality in the volume (for example, a new file extension is observed in the volume). This level of detection is only available in versions prior to ONTAP 9.16.1 that do not have ARP/AI.
-
Beginning with ONTAP 9.11.1, you can customize the detection parameters for ARP.
-
In ONTAP 9.10.1, the threshold for escalation to moderate is 100 or more files.
-
-
Moderate: High entropy is detected or multiple files with the same never-seen-before file extension are observed. This is the baseline detection level in ONTAP 9.16.1 and later with ARP/AI.
The threat escalates to moderate after ONTAP runs an analytics report determining if the abnormality matches a ransomware profile. When the attack probability is moderate, ONTAP generates an EMS notification prompting you to assess the threat. ONTAP does not send alerts about low threats; however, beginning with ONTAP 9.14.1, you can modify default alert settings. For more information, see Respond to abnormal activity.
You can view information about moderate threats in System Manager's Events section or with the security anti-ransomware volume show command. Low threat events can also be viewed using the security anti-ransomware volume show command in versions prior to ONTAP 9.16.1 that do not have ARP/AI. Learn more about security anti-ransomware volume show in the ONTAP command reference.
ARP snapshots
ARP creates a snapshot when early signs of an attack are detected. A detailed analysis is then conducted to confirm or dismiss the potential attack. Because ARP snapshots are created proactively even before an attack is fully confirmed, they might also be generated at regular intervals for certain legitimate applications. The presence of these snapshots should not be regarded as an anomaly. If an attack is confirmed, the attack probability is escalated to Moderate and an attack notification is generated.
Beginning with ONTAP 9.17.1, ARP snapshots are generated at regular intervals for both NAS and SAN volumes as well as in response to detected anomalies. ONTAP prepends a name to the ARP snapshot to make it easily identifiable.
Beginning with ONTAP 9.11.1, you can modify the retention settings. For more information, see Modify options for snapshots.
The following table summarizes ARP snapshot differences by version.
| Feature | ONTAP 9.17.1 and later | ONTAP 9.16.1 and earlier |
|---|---|---|
Creation trigger |
A "periodic" or "attack" snapshot is created based on trigger type. |
Snapshot creation interval is based on trigger type. |
Prepended name convention |
"Anti_ransomware_periodic_backup" |
"Anti_ransomware_backup" |
Deletion behavior |
ARP snapshot is locked and cannot be deleted by the administrator |
ARP snapshot is locked and cannot be deleted by the administrator |
Maximum snapshot count |
||
Retention period |
Snapshots are normally retained for 12 hours.
|
|
Clear-suspect action |
Administrators can perform a clear-suspect action which sets retention based on confirmation:
|
Administrators can perform a clear-suspect action which sets retention based on confirmation:
This precautionary retention behavior doesn't exist earlier than ONTAP 9.16.1 |
Expiration time |
An expiration time is set for all snapshots |
None |
How to recover data in ONTAP after a ransomware attack
ARP builds on proven ONTAP data protection and disaster recovery technology to respond to ransomware attacks. ARP creates locked snapshots when early signs of an attack are detected. You'll need to first confirm whether the attack is real or a false positive. If you confirm the attack, the volume can be restored using the ARP snapshot.
Locked snapshots cannot be deleted by normal means. However, if you decide later to mark the attack as a false positive, ONTAP deletes the locked copy.
You can recover affected files from select snapshots instead of reverting the entire volume.
See the following topics for more information on responding to an attack and recovering data:
Multi-admin verification protection for ARP
Beginning with ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see Enable multi-admin verification.
Autonomous Ransomware Protection with Artificial Intelligence (ARP/AI)
Beginning with ONTAP 9.16.1, ARP improves cyber resiliency by adopting a machine-learning model for anti-ransomware analytics that detects constantly evolving forms of ransomware with 99% accuracy in NAS environments. ARP's machine-learning model is pre-trained on a large dataset of files both before and after a simulated ransomware attack. This resource-intensive training is done outside ONTAP using open-source forensic research datasets to train the model. Customer data is not used throughout the entire modelling pipeline and privacy issues do not exist. The pre-trained model that results from this training is included on-box with ONTAP. This model is not accessible or modifiable through the ONTAP CLI or ONTAP API.
With ARP/AI, there is no learning period. ARP/AI is active immediately after installation or upgrade for the following supported volume types:
-
NAS FlexVol volumes with ONTAP 9.16.1 and later
-
NAS FlexGroup volumes with ONTAP 9.18.1 and later
-
SAN volumes with ONTAP 9.17.1 and later (active immediately, even during the evaluation period)
For existing and new volumes with ARP functionality already enabled, ARP/AI protection will be active automatically after you upgrade your cluster to an ARP/AI supported ONTAP version.
To keep up-to-date protection against the latest ransomware threats, ARP/AI offers frequent automatic updates that occur outside of regular ONTAP upgrade and release cadences. If you have enabled automatic updates then you will also be able to start receiving automatic security updates to ARP/AI after you select automatic updates for security files. You can also choose to make these updates manually and control when the updates occur.
Beginning with ONTAP 9.16.1, security updates for ARP/AI are available using System Manager in addition to system and firmware updates.
Differences between ARP/AI and ARP models at a glance
| Feature | ARP | ARP/AI |
|---|---|---|
ONTAP versions |
ONTAP 9.10.1-9.15.1 |
ONTAP 9.16.1 and later; 9.15.1 (tech preview) |
Detection method |
Analyzes file activity, data entropy, and file extension types |
AI/machine learning model trained on large forensic datasets; analyzes entropy and file behavior |
Learning period |
Requires 30-day learning mode for NAS FlexVol volumes (auto-switch available in 9.13.1 and later) |
No learning period; active immediately upon enablement |
Volume type support |
|
|
Snapshot creation |
Triggered by high entropy, new file extensions, or file operation surges |
Created at fixed 4-hour intervals and on attack confirmation |
Snapshot retention |
Retained until admin clears suspect activity |
12-hour default; extended based on attack confirmation (24 hours for false positive, 7 days for confirmed positive) |
Updates |
Static detection logic (updated with ONTAP upgrades only) |
Automatic security updates independent of ONTAP releases |
Deployment |
Manual enablement per volume or SVM-level default setting |
Manual enablement per volume or SVM-level default setting; default enablement on all new volumes at cluster level for supported systems in 9.18.1 and later |
Evaluation period |
Not applicable |
Required for SAN volumes (2-4 weeks) to establish baseline encryption thresholds |