Release notes
Restore data from ONTAP ARP snapshots after a ransomware attack
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Autonomous Ransomware Protection (ARP) creates snapshots named Anti_ransomware_backup when it detects a potential ransomware threat. You can use one of these ARP snapshots or another snapshot of your volume to restore data.
If the volume has SnapMirror relationships, manually replicate all mirror copies of the volume immediately after you restore from a snapshot. Not doing so can result in unusable mirror copies that must be deleted and recreated.
To restore from a snapshot other than the Anti_ransomware_backup snapshot after a system attack was identified, you must first release the ARP snapshot.
If no system attack was reported, you must first restore from the Anti_ransomware_backup snapshot then complete a subsequent restoration of the volume from the snapshot of your choosing.
You can use System Manager or the ONTAP CLI to restore your data.
-
To restore from the ARP snapshot, skip to step two. To restore from an earlier snapshot, you must first release the lock on the ARP snapshot.
-
Select Storage > Volumes.
-
Select Security then View Suspected File Types.
-
Mark the files as "Potential ransomware attack".
-
Select Update and Clear Suspect File Types.
-
-
Display the snapshots in volumes:
Select Storage > Volumes, then select the volume and Snapshot Copies.
-
Select
next to the snapshot you want to restore then Restore.
-
Display the snapshots in volumes:
Select Storage > Volumes, then select the volume and Snapshot Copies.
-
Select
them choose the Anti_ransomware_backupsnapshot. -
Select Restore.
-
Return to the Snapshot Copies menu, then choose the snapshot you want to use. Select Restore.
-
To restore from the ARP snapshot, skip to step two. To restore data from earlier snapshots, you must release the lock on the ARP snapshot.
It is only necessary to release the anti-ransomware Snaplock before restoring from earlier snapshots if you are using the volume snapshot restorecommand as outlined below. If you are restoring data using FlexClone, Single File Snap Restore, or other methods, this is not necessary.Mark the attack as a potential ransomware attack (
-false-positive false) and clear suspect files (clear-suspect):
anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive false
Use one of the following parameters to identify the extensions:
[-seq-no integer]Sequence number of the file in the suspect list.
[-extension text, … ]File extensions
[-start-time date_time -end-time date_time]Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS". -
List the snapshots in a volume:
volume snapshot show -vserver <SVM> -volume <volume>CliThe following example shows the snapshot in
vol1:clus1::> volume snapshot show -vserver vs1 -volume vol1 Vserver Volume Snapshot State Size Total% Used% ------- ------ ---------- ----------- ------ ----- ------ ----- vs1 vol1 hourly.2013-01-25_0005 valid 224KB 0% 0% daily.2013-01-25_0010 valid 92KB 0% 0% hourly.2013-01-25_0105 valid 228KB 0% 0% hourly.2013-01-25_0205 valid 236KB 0% 0% hourly.2013-01-25_0305 valid 244KB 0% 0% hourly.2013-01-25_0405 valid 244KB 0% 0% hourly.2013-01-25_0505 valid 244KB 0% 0% 7 entries were displayed. -
Restore the contents of a volume from a snapshot:
volume snapshot restore -vserver <SVM> -volume <volume> -snapshot <snapshot>CliThe following example restores the contents of
vol1:cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010
-
List the snapshots in a volume:
volume snapshot show -vserver <SVM> -volume <volume>CliThe following example shows the snapshot in
vol1:clus1::> volume snapshot show -vserver vs1 -volume vol1 Vserver Volume Snapshot State Size Total% Used% ------- ------ ---------- ----------- ------ ----- ------ ----- vs1 vol1 hourly.2013-01-25_0005 valid 224KB 0% 0% daily.2013-01-25_0010 valid 92KB 0% 0% hourly.2013-01-25_0105 valid 228KB 0% 0% hourly.2013-01-25_0205 valid 236KB 0% 0% hourly.2013-01-25_0305 valid 244KB 0% 0% hourly.2013-01-25_0405 valid 244KB 0% 0% hourly.2013-01-25_0505 valid 244KB 0% 0% 7 entries were displayed. -
Restore the contents of a volume from a snapshot:
volume snapshot restore -vserver <SVM> -volume <volume> -snapshot <snapshot>CliThe following example restores the contents of
vol1:cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010
-
Repeat steps 1 and 2 to restore the volume using the desire snapshot.
