Respond to abnormal activity
When Autonomous Ransomware Protection (ARP) detects abnormal activity in a protected volume, it issues a warning. You should evaluate the notification to determine whether the activity is acceptable (false positive) or whether an attack seems malicious.
ARP displays a list of suspected files when it detects any combination of high data entropy, abnormal volume activity with data encryption, and unusual file extensions.
When the warning is issued, respond by designating the file activity in one of two ways:
-
False positive
The identified file type is expected in your workload and can be ignored.
-
Potential ransomware attack
The identified file type is unexpected in your workload and should be treated as a potential attack.
In both cases, normal monitoring resumes after updating and clearing the notices. ARP records your evaluation to the threat assessment profile, using your choice to monitor subsequent file activities.
In the case of a suspected attack, you must determine whether it is an attack, respond to it if it is, and restore protected data before clearing the notices. Learn more about how to recover from a ransomware attack.
If you restore an entire volume, there are no notices to clear. |
ARP must be running in active mode.
You can use System Manager or the ONTAP CLI to respond to an abnormal task.
-
When you receive an "abnormal activity" notification, follow the link. Alternately, navigate to the Security tab of the Volumes overview.
Warnings are displayed in the Overview pane of the Events menu.
-
When a "Detected abnormal volume activity" message is displayed, view the suspect files.
In the Security tab, select View Suspected File Types.
-
In the Suspected File Types dialog box, examine each file type and mark it as either "False Positive" or "Potential Ransomware attack".
If you selected this value… |
Take this action… |
||
---|---|---|---|
False Positive |
Select Update and Clear Suspect File Types to record your decision and resume normal ARP monitoring.
|
||
Potential Ransomware Attack |
Respond to the attack and restore protected data. Then select Update and Clear Suspect File Types to record your decision and resume normal ARP monitoring. |
-
When you receive a notification of a suspected ransomware attack, verify the time and severity of the attack:
security anti-ransomware volume show -vserver svm_name -volume vol_name
Sample output:
Vserver Name: vs0 Volume Name: vol1 State: enabled Attack Probability: moderate Attack Timeline: 9/14/2021 01:03:23 Number of Attacks: 1
You can also check EMS messages:
event log show -message-name callhome.arw.activity.seen
-
Generate an attack report and note the output location:
security anti-ransomware volume attack generate-report -volume vol_name -dest-path file_location/
Sample output:
Report "report_file_vs0_vol1_14-09-2021_01-21-08" available at path "vs0:vol1/"
-
View the report on an admin client system. For example:
[root@rhel8 mnt]# cat report_file_vs0_vol1_14-09-2021_01-21-08 19 "9/14/2021 01:03:23" test_dir_1/test_file_1.jpg.lckd 20 "9/14/2021 01:03:46" test_dir_2/test_file_2.jpg.lckd 21 "9/14/2021 01:03:46" test_dir_3/test_file_3.png.lckd`
-
Take one of the following actions based on your evaluation of the file extensions:
-
False positive
Enter the following command to record your decision, adding the new extension to the list of those allowed, and resume normal anti-ransomware monitoring:
anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive true
Use one of the following parameters to identify the extensions:
[-seq-no integer]
Sequence number of the file in the suspect list.
[-extension text, … ]
File extensions
[-start-time date_time -end-time date_time]
Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS". -
Potential ransomware attack
Respond to the attack and recover data from the ARP-created backup snapshot. After the data is recovered, enter the following command to record your decision and resume normal ARP monitoring:
anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive false
Use one of the following parameters to identify the extensions:
[-seq-no integer]
Sequence number of the file in the suspect list
[-extension text, … ]
File extension
[-start-time date_time -end-time date_time]
Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".There are no suspect file types to clear if you restored an entire volume. The ARP-created backup snapshot will be removed and the attack report will be cleared.
-
-
If you are using MAV and an expected
clear-suspect
operation needs additional approvals, each MAV group approver must:-
Show the request:
security multi-admin-verify request show
-
Approve the request to resume normal anti-ransomware monitoring:
security multi-admin-verify request approve -index[number returned from show request]
The response for the last group approver indicates that the volume has been modified and a false positive is recorded.
-
-
If you are using MAV and you are a MAV group approver, you can also reject a clear-suspect request:
security multi-admin-verify request veto -index[number returned from show request]