Skip to main content

Restore data from ONTAP ARP snapshots after a ransomware attack

Contributors netapp-dbagwell netapp-aherbin netapp-ahibbard netapp-forry netapp-aaron-holt
PDFs

Autonomous Ransomware Protection (ARP) creates snapshots to protect against a potential ransomware threat. You can use one of these ARP snapshots or another snapshot of your volume to restore data.

About this task

The ARP creates snapshots with one of the following prepended names:

  • Anti_ransomware_periodic_backup: Used in ONTAP 9.17.1 and later for snapshots created at regular intervals. For example, Anti_ransomware_periodic_backup.2025-06-01_1248.

  • Anti_ransomware_attack_backup: Used in ONTAP 9.17.1 and later for snapshots created in response to abnormalities. For example, Anti_ransomware_attack_backup.2025-08-25_1248.

  • Anti_ransomware_backup: Used in ONTAP 9.16.1 and earlier with snapshots that are created in response to abnormalities. For example, Anti_ransomware_backup.2022-12-20_1248.

To restore from a snapshot other than the Anti_ransomware snapshot after a system attack is identified, you must first release the ARP snapshot.

If no system attack is reported, you must first restore from the Anti_ransomware snapshot then complete a subsequent restoration of the volume from the snapshot you choose.

Note If the ARP-protected volume is part of a SnapMirror relationship, you'll need to manually update all mirror copies of the volume after restoring it from a snapshot. If you skip this step, the mirror copies might become unusable and need to be deleted and recreated.
Before you begin

You must mark the attack as a potential ransomware attack before restoring data from a snapshot.

Steps

You can use System Manager or the ONTAP CLI to restore your data.

System Manager
Restore after a system attack

  1. To restore from the ARP snapshot, skip to step two. To restore from an earlier snapshot, you must first release the lock on the ARP snapshot.

    1. Select Storage > Volumes.

    2. Select Security then View Suspected File Types.

    3. Mark the files as "Potential ransomware attack".

    4. Select Update and Clear Suspect File Types.

  2. Display the snapshots in volumes:

    Select Storage > Volumes, then select the volume and Snapshot Copies.

  3. Select Menu options icon next to the snapshot you want to restore then Restore.

Restore if a system attack was not identified

  1. Display the snapshots in volumes:

    Select Storage > Volumes, then select the volume and Snapshot Copies.

  2. Select Menu options icon then choose the Anti_ransomware snapshot.

  3. Select Restore.

  4. Return to the Snapshot Copies menu, then choose the snapshot you want to use. Select Restore.

CLI
Restore after a system attack

To restore from the ARP snapshot, skip to step two. To restore data from earlier snapshots, you must release the lock on the ARP snapshot.

Note It is only necessary to release the anti-ransomware Snaplock before restoring from earlier snapshots if you are using the volume snapshot restore command as outlined below. If you are restoring data using FlexClone, Single File Snap Restore, or other methods, this is not necessary.

  1. Mark the attack as a potential ransomware attack (-false-positive false) and clear suspect files (clear-suspect):

    anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false

    Use one of the following parameters to identify the extensions:

    • [-seq-no integer]: Sequence number of the file in the suspect list.

    • [-extension text, … ]: File extensions

    • [-start-time date_time -end-time date_time]: Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".

  2. List the snapshots in a volume:

    volume snapshot show -vserver <SVM> -volume <volume>

    The following example shows the snapshot in vol1:

    clus1::> volume snapshot show -vserver vs1 -volume vol1

Vserver Volume Snapshot                State    Size  Total% Used%
------- ------ ---------- ----------- ------   -----  ------ -----
vs1	    vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%
               daily.2013-01-25_0010   valid   92KB      0%    0%
               hourly.2013-01-25_0105  valid   228KB     0%    0%
               hourly.2013-01-25_0205  valid   236KB     0%    0%
               hourly.2013-01-25_0305  valid   244KB     0%    0%
               hourly.2013-01-25_0405  valid   244KB     0%    0%
               hourly.2013-01-25_0505  valid   244KB     0%    0%

7 entries were displayed.

  3. Restore the contents of a volume from a snapshot:

    volume snapshot restore -vserver <SVM> -volume <volume> -snapshot <snapshot>

    The following example restores the contents of vol1:

    cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010
Restore if a system attack was not identified

  1. List the snapshots in a volume:

    volume snapshot show -vserver <SVM> -volume <volume>

    The following example shows the snapshot in vol1:

    clus1::> volume snapshot show -vserver vs1 -volume vol1

Vserver Volume Snapshot                State    Size  Total% Used%
------- ------ ---------- ----------- ------   -----  ------ -----
vs1	    vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%
               daily.2013-01-25_0010   valid   92KB      0%    0%
               hourly.2013-01-25_0105  valid   228KB     0%    0%
               hourly.2013-01-25_0205  valid   236KB     0%    0%
               hourly.2013-01-25_0305  valid   244KB     0%    0%
               hourly.2013-01-25_0405  valid   244KB     0%    0%
               hourly.2013-01-25_0505  valid   244KB     0%    0%

7 entries were displayed.

  2. Restore the contents of a volume from a snapshot:

    volume snapshot restore -vserver <SVM> -volume <volume> -snapshot <snapshot>

    The following example restores the contents of vol1:

    cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010

Learn more about volume snapshot in the ONTAP command reference.

Related information