Skip to main content
Amazon FSx for NetApp ONTAP

Protect your data with NetApp Autonomous Ransomware Protection with AI

Contributors netapp-rlithman
PDFs

Protect your data with NetApp Autonomous Ransomware Protection with AI (ARP/AI), a feature that uses workload analysis in NAS (NFS/SMB) environments to detect and warn about abnormal activity that might be a ransomware attack. When an attack is suspected, ARP/AI also creates new, immutable snapshots from which you can restore your data.

About this task

Use ARP/AI to protect against denial-of-service attacks where the attacker withholds data until a ransom is paid. ARP/AI offers real-time ransomware detection based on:

  • Identification of the incoming data as encrypted or plaintext.

  • Analytics that detect:

    • Entropy: An evaluation of the randomness of data in a file

    • File extension types: An extension that does not conform to the normal extension type

    • File IOPS: A surge in abnormal volume activity with data encryption

ARP/AI can detect the spread of most ransomware attacks after only a small number of files are encrypted, take action automatically to protect data, and alert you that a suspected attack is happening.

The ARP/AI feature automatically updates according to the ONTAP version that Amazon FSx for NetApp ONTAP runs so you don't have to make manual updates.

Learning and active modes

ARP/AI operates first in learning mode and then automatically switches to active mode.

  • Learning mode: When you enable ARP/AI it runs in learning mode. In learning mode, the FSx for ONTAP file system develops an alert profile based on the analytic areas: entropy, file extension types, and file IOPS. After the file system runs ARP/AI in learning mode for enough time to assess workload characteristics, workload factory automatically switches to ARP/AI to active mode and starts protecting your data.

  • Active mode: After ARP/AI switches to active mode, FSx for ONTAP creates ARP/AI snapshots to protect the data if a threat is detected.

    In active mode, if a file extension is flagged as abnormal, you should evaluate the alert. You can act on the alert to protect your data or you can mark the alert as a false positive. Marking an alert as a false positive updates the alert profile. For example, if the alert is triggered by a new file extension and you mark the alert as a false positive, you will not receive an alert the next time that file extension is observed.

Unsupported configurations

The following configurations don't support the use of ARP/AI.

  • SAN/Block volumes

  • iSCSI volumes

  • NVMe volumes

Enable ARP/AI for a file system or a volume

Enabling ARP/AI for a file system adds protection for all existing NAS and newly created NAS (NFS/SMB) volumes automatically. You can also enable ARP/AI for individual volumes.

After enabling ARP/AI, if an attack occurs and you identify the attack is real, workload factory automatically sets up a snapshot policy that takes up to six snapshots every four hours. Each snapshot is locked for 2-5 days.

Before you begin

To enable ARP/AI for a file system or a volume, you must associate a link. Learn how to associate an existing link or to create and associate a new link. After the link associates, return to this operation.

Enable ARP/AI for a file system
Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to Storage inventory.

  3. In the FSx for ONTAP tab, select the three-dot menu of the file system to enable ARP/AI and then select Manage.

  4. Under Information, select the pencil icon next to Autonomous Ransomware Protection. The pencil icon appears next to the arrow when the mouse hovers over the Autonomous Ransomware Protection row.

  5. From the NetApp Autonomous Ransomware Protection with AI (ARP/AI) page, do the following:

    1. Enable or disable the feature.

    2. Automatic snapshot creation: Select the maximum number of snapshots to retain and the interval of time between taking snapshots. The default is 6 snapshots every 4 hours.

    3. Immutable snapshots: Select the default retention period in hours and the maximum number of days to retain immutable snapshots. Enable this option to ensure that snapshots cannot be deleted or modified until the specified retention period ends.

    4. Detection: Optionally, select any of the following parameters to automatically scan and detect anomalies.

  6. Accept the statement to proceed.

  7. Select Apply to save the changes.

Enable ARP/AI for a volume
Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to Storage inventory.

  3. In the FSx for ONTAP tab, select the three-dot menu of the file system to enable ARP/AI and then select Manage.

  4. From the Volumes tab, select the three-dot menu of the volume to enable ARP/AI, then Data protection actions, and then Manage ARP/AI.

  5. In the Manage ARP/AI dialog, do the following:

    1. Enable or disable the feature.

    2. Detection: Optionally, select any of the following parameters to automatically scan and detect anomalies.

  6. Accept the statement to proceed.

  7. Select Apply to save the changes.

Validate ransomware attacks

Determine if an attack is a false alarm or a genuine ransomware incident.

Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to Storage inventory.

  3. From the file system overview, select the Volumes tab.

  4. Select Analyze attacks from the Autonomous Ransomware Protection tile.

  5. Download the attack events report to review if any files or folders were compromised and then decide if an attack has occurred.

  6. If no attack occurred, select False alarm for the volume in the table and then select Close

  7. If an attack has occurred, select Real attack for the volume in the table. The Restore compromised volume data dialog opens. You can proceed to recover your data immediately or select Close and come back to complete the recovery process later.

Recover data after a ransomware attack

When an attack is suspected, the system takes a volume snapshot at that point in time and locks that copy. If the attack is confirmed later, the affected files or the entire volume can be restored using the ARP/AI snapshot.

Locked snapshots cannot be deleted until the retention period ends. However, if you decide later to mark the attack as a false positive, the locked copy will be deleted.

With the knowledge of the affected files and the time of attack, it is possible to selectively recover the affected files from various snapshots rather than simply reverting the whole volume to one of the snapshots.

Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to Storage inventory.

  3. From the file system overview, select the Volumes tab.

  4. Select Analyze attacks from the Autonomous Ransomware Protection tile.

  5. If an attack has occurred, select Real attack for the volume in the table.

  6. In the Restore compromised volume data dialog, follow the instructions to restore at the file-level or at the volume-level. In most cases, you'll restore files rather than an entire volume.

  7. After you complete the restore, select Close.

Result

The compromised data has been restored.