Skip to main content

Restore data from ONTAP ARP snapshots after a ransomware attack

Contributors netapp-dbagwell netapp-aherbin netapp-ahibbard netapp-forry netapp-aaron-holt
PDFs

Autonomous Ransomware Protection (ARP) creates snapshots to protect against a potential ransomware threat. You can use ARP snapshots or another snapshot of your volume to restore data.

About this task

Depending on the potential attack situation, you'll restore data in one of these ways:

ARP creates snapshots with one of the following prepended names:

  • Anti_ransomware_periodic_backup: Used in ONTAP 9.17.1 and later for snapshots created at regular intervals. For example, Anti_ransomware_periodic_backup.2025-06-01_1248.

  • Anti_ransomware_attack_backup: Used in ONTAP 9.17.1 and later for snapshots created in response to abnormalities. For example, Anti_ransomware_attack_backup.2025-08-25_1248.

  • Anti_ransomware_backup: Used in ONTAP 9.16.1 and earlier with snapshots that are created in response to abnormalities. For example, Anti_ransomware_backup.2022-12-20_1248.

Before you begin
Steps

Follow these steps when you need to restore data after ARP detects an abnormality:

Choose a recovery method

Depending on the extent of data corruption and your operational requirements, choose one or a combination of these recovery methods.

  • Volume snapshot restore: Rolls back the entire volume to a selected snapshot (ARP or scheduled). This is the fastest method but removes all snapshots created after the restore point.

  • FlexClone from a clean snapshot: Creates a clone volume from the selected snapshot, preserving the original volume and all its snapshots for forensic analysis or additional recovery. It is recommended to split the clone from the parent volume to isolate the infected parent from the clean clone.

    Learn more about creating a FlexClone volume from a snapshot and splitting a FlexClone from its parent.

  • Single-file SnapRestore: Restores individual files from snapshots. Each file can be sourced from a different snapshot. This is practical when the number of affected files is relatively small (tens to hundreds of files).

    Learn more about restoring a single file from a snapshot.

  • Data copy from the .snapshot directory: Copies data from the snapshot mount point to a new volume using standard file copy operations. This method preserves the original volume and snapshots for analysis.

  • Hybrid approach: The volume is first rolled back to the closest clean snapshot using SnapRestore, then any remaining corrupted files are restored individually from another snapshot or external backup.

Recovery constraints and considerations

  • For ONTAP 9.15.1 and earlier, releasing the ARP snapshot lock deletes ARP snapshots immediately. Release the lock only if you do not plan to restore from an ARP snapshot.

  • Releasing the anti-ransomware lock before restoring from earlier snapshots is only required when you use volume snapshot restore. It is not required for FlexClone, single-file SnapRestore, data copy operations, or similar methods.

SnapMirror considerations

  • If the volume is part of a SnapMirror synchronous or SnapMirror active sync SAN relationship in ONTAP 9.19.1 RC and you plan a volume-level restore, quiesce or break the relationship before restore and then re-establish protection after restore.

  • If you restore an ARP-protected volume from a snapshot while it participates in a SnapMirror relationship, manually update all mirror copies after the restore. Otherwise, mirror copies can become unusable and might need to be deleted and recreated.

For full SnapMirror and ARP interoperability behavior, including snapshot and failover considerations, see SnapMirror and ARP interoperability.

Restore after a system attack

For volume snapshot restores, choose one of these flows depending on the snapshot source and situation:

Restore from the most recent ARP snapshot

Choose this flow when you can confidently restore from the most recent ARP snapshot, which is the most up-to-date snapshot available for recovery.

System Manager

  1. Select Storage > Volumes, then select the volume and Snapshot Copies.

  2. For ONTAP 9.16.1 and later, before you run a volume restore, clear suspected files.

    Note After you clear suspect files, the ARP snapshot is retained for 7 days (by default). If you need more time for data recovery, adjust ARP snapshot settings to increase the retention time of the snapshot to the desired value. After all the data recovery is done, you can decrease the retention time.

  3. Select Menu options icon next to the most recent ARP snapshot (Anti_ransomware) you want to restore, then select Restore.

  4. For ONTAP 9.15.1 and earlier, after the restore completes, clear suspected files.

CLI

  1. List the snapshots in a volume:

    volume snapshot show -vserver <svm> -volume <volume>

  2. For ONTAP 9.16.1 and later, before you run volume snapshot restore, clear suspected files.

  3. Restore the contents of a volume from a snapshot:

    volume snapshot restore -vserver <svm> -volume <volume> -snapshot <snapshot>

  4. For ONTAP 9.15.1 and earlier, after the restore completes, clear suspected files.

Restore from an earlier snapshot

Choose this flow when you lack confidence in the most recent snapshot and want to restore from an earlier snapshot. Release the lock on the most recent ARP snapshot before restoring from the earlier snapshot.

System Manager

  1. Release the lock on the most recent ARP snapshot:

    1. Select Storage > Volumes.

    2. Select Security then View Suspected File Types.

    3. Mark the files as "Potential ransomware attack".

    4. Select Update and Clear Suspected File Types.

      Note If you already classified the activity as a potential ransomware attack using the steps in Respond to abnormal activity detected by ONTAP ARP, you only need to clear the suspected file types here.

  2. Select Storage > Volumes, then select the volume and Snapshot Copies.

  3. Select Menu options icon next to the earlier snapshot you want to restore, then select Restore.

CLI

  1. If you are restoring from an earlier snapshot using volume snapshot restore, mark the attack as potential ransomware (-false-positive false) and clear suspect files to release the lock:

    security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false

    Use one of the following parameters to identify the extensions:

    • [-seq-no integer]: Sequence number of the file in the suspect list.

    • [-extension text, … ]: File extensions

    • [-start-time date_time -end-time date_time]: Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".

  2. List the snapshots in a volume:

    volume snapshot show -vserver <svm> -volume <volume>

    The following example shows the snapshot in vol1:

    clus1::> volume snapshot show -vserver vs1 -volume vol1

Vserver Volume Snapshot                State    Size  Total% Used%
------- ------ ---------- ----------- ------   -----  ------ -----
vs1	    vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%
               daily.2013-01-25_0010   valid   92KB      0%    0%
               hourly.2013-01-25_0105  valid   228KB     0%    0%
               hourly.2013-01-25_0205  valid   236KB     0%    0%
               hourly.2013-01-25_0305  valid   244KB     0%    0%
               hourly.2013-01-25_0405  valid   244KB     0%    0%
               hourly.2013-01-25_0505  valid   244KB     0%    0%

7 entries were displayed.

  3. Restore the contents of a volume from a snapshot:

    volume snapshot restore -vserver <svm> -volume <volume> -snapshot <snapshot>

    The following example restores the contents of vol1:

    cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010

Restore when a system attack is not identified

When no attack is identified, first restore from the most recent ARP snapshot and then restore from an earlier snapshot you choose.

System Manager

  1. Select Storage > Volumes, then select the volume and Snapshot Copies.

  2. Select Menu options icon then choose the most recent Anti_ransomware snapshot.

  3. Select Restore.

  4. Return to the Snapshot Copies menu, then choose the earlier snapshot you want to use.

  5. Select Restore.

CLI

  1. Restore from the most recent ARP snapshot first:

    1. List the snapshots in a volume:

      volume snapshot show -vserver <svm> -volume <volume>

    2. Restore the contents of a volume from a snapshot:

      volume snapshot restore -vserver <svm> -volume <volume> -snapshot <snapshot>

  2. Select the earlier snapshot you want to use and repeat the restore.

Learn more about volume snapshot in the ONTAP command reference.

Related information