Skip to main content

Respond to abnormal activity

Contributors netapp-dbagwell netapp-ahibbard netapp-aherbin netapp-forry netapp-thomi

When Autonomous Ransomware Protection (ARP) detects abnormal activity in a protected volume, it issues a warning. You should evaluate the notification to determine whether the activity is acceptable (false positive) or whether an attack seems malicious.

About this task

ARP displays a list of suspected files when it detects any combination of high data entropy, abnormal volume activity with data encryption, and unusual file extensions.

When the warning is issued, respond by designating the file activity in one of two ways:

  • False positive

    The identified file type is expected in your workload and can be ignored.

  • Potential ransomware attack

    The identified file type is unexpected in your workload and should be treated as a potential attack.

In both cases, normal monitoring resumes after updating and clearing the notices. ARP records your evaluation to the threat assessment profile, using your choice to monitor subsequent file activities.

In the case of a suspected attack, you must determine whether it is an attack, respond to it if it is, and restore protected data before clearing the notices. Learn more about how to recover from a ransomware attack.

Note If you restore an entire volume, there are no notices to clear.
Before you begin

ARP must be running in active mode.

Steps

You can use System Manager or the ONTAP CLI to respond to an abnormal task.

System Manager
  1. When you receive an "abnormal activity" notification, follow the link. Alternately, navigate to the Security tab of the Volumes overview.

    Warnings are displayed in the Overview pane of the Events menu.

  2. When a "Detected abnormal volume activity" message is displayed, view the suspect files.

    In the Security tab, select View Suspected File Types.

  3. In the Suspected File Types dialog box, examine each file type and mark it as either "False Positive" or "Potential Ransomware attack".

If you selected this value…​

Take this action…

False Positive

Select Update and Clear Suspect File Types to record your decision and resume normal ARP monitoring.

Note Beginning with ONTAP 9.13.1, if you are using MAV to protect your ARP settings, the clear-suspect operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from all administrators associated with the MAV approval group or the operation will fail.

Potential Ransomware Attack

Respond to the attack and restore protected data. Then select Update and Clear Suspect File Types to record your decision and resume normal ARP monitoring.
There are no suspect file types to clear if you restored an entire volume.

CLI
  1. When you receive a notification of a suspected ransomware attack, verify the time and severity of the attack:

    security anti-ransomware volume show -vserver svm_name -volume vol_name

    Sample output:

    Vserver Name: vs0
    Volume Name: vol1
    State: enabled
    Attack Probability: moderate
    Attack Timeline: 9/14/2021 01:03:23
    Number of Attacks: 1

    You can also check EMS messages:

    event log show -message-name callhome.arw.activity.seen

  2. Generate an attack report and note the output location:

    security anti-ransomware volume attack generate-report -volume vol_name -dest-path file_location/

    Sample output:

    Report "report_file_vs0_vol1_14-09-2021_01-21-08" available at path "vs0:vol1/"

  3. View the report on an admin client system. For example:

    [root@rhel8 mnt]# cat report_file_vs0_vol1_14-09-2021_01-21-08
    
    19  "9/14/2021 01:03:23"   test_dir_1/test_file_1.jpg.lckd
    20  "9/14/2021 01:03:46"   test_dir_2/test_file_2.jpg.lckd
    21  "9/14/2021 01:03:46"   test_dir_3/test_file_3.png.lckd`
  4. Take one of the following actions based on your evaluation of the file extensions:

    • False positive

      Enter the following command to record your decision, adding the new extension to the list of those allowed, and resume normal anti-ransomware monitoring:
      anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive true

      Use one of the following parameters to identify the extensions:
      [-seq-no integer] Sequence number of the file in the suspect list.
      [-extension text, … ] File extensions
      [-start-time date_time -end-time date_time] Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".

    • Potential ransomware attack

      Respond to the attack and recover data from the ARP-created backup snapshot. After the data is recovered, enter the following command to record your decision and resume normal ARP monitoring:

      anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive false

      Use one of the following parameters to identify the extensions:
      [-seq-no integer] Sequence number of the file in the suspect list
      [-extension text, … ] File extension
      [-start-time date_time -end-time date_time] Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".

      There are no suspect file types to clear if you restored an entire volume. The ARP-created backup snapshot will be removed and the attack report will be cleared.

  5. If you are using MAV and an expected clear-suspect operation needs additional approvals, each MAV group approver must:

    1. Show the request:

      security multi-admin-verify request show

    2. Approve the request to resume normal anti-ransomware monitoring:

      security multi-admin-verify request approve -index[number returned from show request]

      The response for the last group approver indicates that the volume has been modified and a false positive is recorded.

  6. If you are using MAV and you are a MAV group approver, you can also reject a clear-suspect request:

    security multi-admin-verify request veto -index[number returned from show request]