Skip to main content

Restore data after a ransomware attack

Contributors netapp-forry netapp-ahibbard netapp-dbagwell netapp-aherbin

Snapshot copies named “Anti_ransomware_backup” are created when Autonomous Ransomware Protection (ARP) detects a potential attack. You can restore data from these ARP copies or from other Snapshot copies.

About this task

If the volume has SnapMirror relationships, manually replicate all mirror copies of the volume immediately after you restore from a Snapshot copy. Not doing so can result in unusable mirror copies that must be deleted and recreated.

Steps

You can use System Manager or the ONTAP CLI to restore your data.

System Manager
  1. If you want to restore data from earlier Snapshot copies instead of from the ARP copies, you must release the anti-ransomware Snapshot lock. If you want to restore from the ARP copies, it is not necessary to release the lock and you can skip this step.

    If a system attack was identified do this…​ If a system attack was not identified do this…​
    1. Select Storage > Volumes.

    2. Select Security then View Suspected File Types

    3. Mark the files as "False Positive" .

    4. Select Update and Clear Suspect File Types

    To release the Snapshot lock, you must restore from the ARP copies before you restore from earlier Snapshot copies.

    Follow steps 2-3 to restore data from the ARP copies, then repeat the process to restore from earlier Snapshot copies.

  2. Display the Snapshot copies in volumes:

    Select Storage > Volumes, then select the volume and Snapshot Copies.

  3. Select Menu Option next to the Snapshot copy you want to restore then Restore.

CLI
  1. If you want to restore data from earlier Snapshot copies, instead of from the ARP copies, you must do the following to release the anti-ransomware Snapshot lock. If you want to restore from the ARP copies, it is not necessary to release the lock and you can skip this step.

    Note It is only necessary to release the anti-ransomware Snaplock before restoring from earlier Snapshot copies if you are using the volume snap restore command as outlined below. If you are restoring data using Flex Clone, Single File Snap Restore or other methods, this is not necessary.
    If a system attack was identified do this…​ If a system attack was not identified do this…​

    Mark the attack as a "false positive" and "clear suspect".

    anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive true

    Use one of the following parameters to identify the extensions:
    [-seq-no integer] Sequence number of the file in the suspect list.
    [-extension text, … ] File extensions
    [-start-time date_time -end-time date_time] Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".

    To release the Snapshot lock, you must restore from the ARP copies before you restore from earlier Snapshot copies.

    Follow steps 2-3 to restore data from the ARP copies, then repeat the process to restore from earlier Snapshot copies.

  2. List the Snapshot copies in a volume:

    volume snapshot show -vserver SVM -volume volume

    The following example shows the Snapshot copies in vol1:

    clus1::> volume snapshot show -vserver vs1 -volume vol1
    
    Vserver Volume Snapshot                State    Size  Total% Used%
    ------- ------ ---------- ----------- ------   -----  ------ -----
    vs1	 vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%
                   daily.2013-01-25_0010   valid   92KB      0%    0%
                   hourly.2013-01-25_0105  valid   228KB     0%    0%
                   hourly.2013-01-25_0205  valid   236KB     0%    0%
                   hourly.2013-01-25_0305  valid   244KB     0%    0%
                   hourly.2013-01-25_0405  valid   244KB     0%    0%
                   hourly.2013-01-25_0505  valid   244KB     0%    0%
    
    7 entries were displayed.
  3. Restore the contents of a volume from a Snapshot copy:

    volume snapshot restore -vserver SVM -volume volume -snapshot snapshot

    The following example restores the contents of vol1:

    cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010