Protecting data using Autonomous Ransomware Protection on HAQM FSx for NetApp ONTAP

In a layered security strategy like a defense-in-depth, when prevention fails, mitigation becomes critical. Most AWS storage services use immutable storage and recovery from backup to mitigate the impact of ransomware. Autonomous Ransomware Protection (ARP) is a new security feature of HAQM FSx for NetApp ONTAP (FSx for ONTAP), a fully managed service that provides reliable, scalable, high-performing shared storage built on NetApp’s ONTAP filesystem. ARP goes further with both its detection and fast recovery capability from ransomware attacks. While AWS offers customers multiple ways to protect data and run resilient workloads, in this article we explain what NetApp Autonomous Ransomware Protection (ARP) is, how it works, and how to use it to improve data protection on FSx for ONTAP file systems.

How ARP helps protect against ransomware

Figure 1: ONTAP security features

ARP is a NetApp ONTAP feature that proactively monitors your file system for unusual activity and automatically creates ONTAP Snapshots when a potential attack is detected, helping you protect your business-critical data against a broader set of ransomware events. ONTAP Snapshots use redirect-on-write (ROW) to the filesystem and can perform backup and recovery of terabytes of data in seconds. This is much faster than any backup and restore method that relies on network transfer to the file system.

ARP analyzes your workload access patterns to proactively detect suspicious activity. ARP’s analytics detect changes in entropy (i.e. the randomness of data in a file), changes in file extension types (i.e. an extension that does not conform to the common extension types), and changes in file IOPS (i.e. a surge in abnormal volume activity with encrypted data) to identify potential ransomware events. Any or all of these patterns might indicate a potential ransomware event. If suspicious activity is detected, ARP will automatically create a snapshot of the affected volume and depending on the severity of the suspected attack, will generate alerts that you can read via Event Management System (EMS) messages, ONTAP CLI, or REST API.

To view detailed information on a suspected event, you can generate a report on the affected volume(s) that shows the attack probability, and attack timeline. After reviewing the report, you can record that the alert was generated by a false positive or a suspected attack. For a suspected attack, first understand and remediate the scope of the attack and then move to recover data from the ARP-created snapshot. If you determine that the alert is caused by a false alarm, the ARP-created snapshot will be automatically deleted.

ARP mitigates downtime from attacks on your SMB or NFS file shares running on FSx for ONTAP. As an example, a compromised compute instance can get authorized access to the file share and encrypt all data it has access to. ARP detects the attack, creates a Snapshot, and logs an alert (alerts can be forwarded as syslogs to other systems). An admin can then respond to the attack alert, review a report of files affected, and execute the restore process.

There are workloads where ARP may be less effective for detection due to normal usage patterns not being distinguishable from suspicious activity. For example, if you create or delete hundreds of thousands of files frequently, like in a test or development environment, such behavior cannot be effectively distinguished from ransomware activity.

Technical walkthrough

To setup ARP, we will demonstrate the following steps:

1. Installation and enabling the feature
2. Detection and reporting
3. Recovery after a ransomware attack

Instructions assume you have fsxadmin credentials and are connected to the ONTAP CLI via the management endpoint in a test environment. Commands in the guide are for the ONTAP CLI unless otherwise noted.

Installation and enabling ARP

ARP has two modes, a “learning mode” (aka “dry-run mode”) and an “active mode”. ARP is managed through the ONTAP CLI or ONTAP REST API.

First, we enable ARP in learning mode, either on an existing volume:

security anti-ransomware volume dry-run -volume <vol_name> -vserver <svm_name>

volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state dry-run -junction-path </path_name>

Note that in existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.

NetApp recommends up to 30 days in learning mode (described above) before converting a volume to active mode. ARP automatically determines the optimal learning period interval and automates the switch from learning mode to active mode, which may occur in less than 30 days.

To enable ARP directly in active mode, use the following commands for an existing volume:

security anti-ransomware volume enable -volume <vol_name> -vserver <svm_name>

You can enable ARP by default at the SVM level, which applies to all newly created volumes:

vserver modify -vserver <svm_name> -anti-ransomware-default-volume-state dry-run

And finally, you can verify the status of ARP:

security anti-ransomware volume show

To verify the status of a particular volume:

security anti-ransomware show -vserver <svm_name> -volume <vol_name>

For more information on ARP configuration options, including default values, see the ONTAP command reference.

Detection and reporting

ARP generates alerts when it comes across randomized data, high IOPS of encrypted files or abnormal file extensions. Alerts can be viewed in EMS messages, the ONTAP CLI, or the REST API, and can be either of two types: False positive or suspected potential ransomware attack. A report file containing a list of the suspected files affected by ransomware can be generated using the ONTAP CLI. After evaluating the threat, depending on the administrator’s response, future file activities are monitored.

Alerts can be configured when ARP observes a new file extension and when ARP creates a snapshot. For more information, see Configure ARP alerts. Attack detection parameters can be modified so they better fit specific workloads. Some sample outputs have been provided for commands below to help you understand what to expect in the event of an attack.

To see if ARP has generated any snapshots:

snapshot show -vserver <svm_name> -volume <vol_name> -snapshot Anti_ransomware_backup

                                               ---Blocks---
Snapshot         				    Size Total% Used%
---------------- 				-------- ------ -----
Anti_ransomware_backup.2025-04-07_1503  3.40MB     0%   10%
hourly.2025-04-07_1505                  1.45GB     0%   98%
hourly.2025-04-07_1605                   140KB     0%    0%

security anti-ransomware volume show -vserver <svm_name> -volume <vol_name

[sample output]

      Vserver Name: fsx
       Volume Name: Vol1
             State: enabled
Dry Run Start Time: -
Attack Probability: low
   Attack Timeline: 04/07/2025 15:08:57
Number of Attacks: 1

You can also check messages in the EMS log:

event log show -message-name callhome.arw.activity.seen

Time                Node             Severity      Event
------------------- ---------------- ------------- ------------------------
04/07/2025 11:27:55 cluster2-01      ALERT        callhome.arw.activity.seen: Call-home message for Vol1 (UUID: c437827d-8062-11ed-9f93-005056a0123) svm1 (UUID: 4574c5fe-8916-11ec-b931-005056a0123)

security anti-ransomware volume attack generate-report -vserver <svm_name> -volume <vol_name> -dest-path <[svm_name:]vol_name/[sub-dir-name]>

You can then view the report file from the file system:

[sample file]

1	"4/07/2025 03:08:57"	/folder/file1.jpg.cf242b 1
2	"4/07/2025 03:08:57"	/folder/file2.jpg.2b591a 1
3	"4/07/2025 03:08:57"	/folder/file3.jpg.4812e1 1
 [file continues…]

Based on the evaluation of attack, you now mark the event as either a False Positive or a Potential ransomware attack.

To mark the attack as a False Positive: (this action will delete the snapshot)

anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive true

To handle a potential attack, first respond to the attack, then recover data from ARP created snapshot. Only after data is recovered, record the decision and resume monitoring:

anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false

Recovery

Before recovery of data, it is important to respond to abnormal activity detected by ARP. When ransomware event is confirmed, the volume can be restored using the ARP generated snapshot named Anti_ransomware_backup. An ARP snapshot is locked when a ransomware attack is suspected. Locked snapshots cannot be deleted, unless attack is first identified as a false positive. Administrators can also selectively restore a file from the volume and not restore a full snapshot.

After an attack is identified, you can restore the volume from the snapshot. You first will have to release the lock on the Anti_ransomware_backup snapshot. If no system attack was reported, one has to first restore the Anti_ransomware_backup snapshot, only then other snapshots can be restored on top of it.

List all snapshots:

volume snapshot show -vserver <svm_name> -volume <volume>

Restore a snapshot:

volume snapshot restore -vserver <svm_name> -volume <volume> -snapshot <snapshot>

To restore data from earlier snapshots, you first have to release the lock on the ARP snapshot. Mark the attack as a potential ransomware attack and clear suspect files:

anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [extension identifiers] -false-positive false

Use one of the following parameters to identify the extensions:

• [-seq-no integer] Sequence number of the file in the suspect list.
• [-extension ext, … ] File extensions.
• [-start-time date_time -end-time date_time] Starting and ending times for the range of files to be cleared, in the form “MM/DD/YYYY HH:MM:SS”.

Cost

While ARP is available at no extra cost, standard FSx for ONTAP costs apply. Remember to clean up unused resources when testing is complete so you do not incur additional charges.

Additional options

Beyond the scope of this article, FSx for ONTAP can be integrated into your security practices. EMS events can be ingested into a security information and event management (SIEM) for central visibility and management of security events. NetApp Vscan, an ONTAP feature to run supported third-party antivirus software, can integrate malware detection as files are written. More broadly, you can learn about additional ways to protect your whole AWS environment here.

Conclusion

By helping protect your file system against ransomware attacks, ARP helps you maintain business continuity and improve data protection for your business-critical data stored on FSx for ONTAP. In this blog post, we outlined the Autonomous Ransomware Protection (ARP) on HAQM FSx for NetApp ONTAP as an integral part of your overall security posture for your cloud workloads. ARP is easy to set up and provides faster recovery capabilities than traditional backup and recovery solutions. The CLI-based management tools allow you to enable ARP on a volume. ARP will then detect potential events and automatically create snapshots. An administrator can view reports, mark events as ransomware or false positives, and restore volumes, or individual files, from the snapshot. ARP is available for all FSx for ONTAP file systems in all AWS Regions where the service is available. Learn more about HAQM FSx for NetApp ONTAP.