In today’s digital age, ransomware is becoming an increasingly serious threat to businesses. According to a recent report by the UK’s National Cyber Security Centre (NCSC), Artificial Intelligence (AI) is expected to increase both the volume and impact of ransomware attacks over the next two years. Having a strong cybersecurity strategy is therefore more critical than ever. This is exactly where NetApp’s Autonomous Ransomware Protection (ARP), integrated into ONTAP systems, comes into play. ARP takes your data security to the next level by proactively detecting and responding to ransomware attacks.
So, how does this powerful technology work, and how does it protect your business? Let’s take a closer look.
What Is ARP and How Does It Work?
Introduced in ONTAP version 9.10.1, ARP (Autonomous Ransomware Protection) proactively detects and alerts on abnormal activity that may indicate a ransomware attack by analyzing workloads in NAS environments (NFS and SMB). Since ARP is built directly into ONTAP, it works seamlessly with other ONTAP features. Operating in real time, it monitors data being read from or written to the file system, allowing it to quickly identify and respond to potential ransomware threats.
When suspicious activity is detected, ARP creates new snapshots in addition to any pre-scheduled ones, ensuring your data has a secure recovery point in the event of an attack.
AI-Powered ARP/AI (Starting with ONTAP 9.16.1)
Starting with ONTAP 9.16.1, ARP enhances cyber resilience by incorporating a machine learning (ML) model for ransomware analysis. This model is capable of detecting evolving ransomware variants with up to 99% accuracy. The machine learning model was intensively trained outside of ONTAP on a large dataset of file activity—both before and after simulated ransomware attacks. However, the insights gained from this training are applied directly within ONTAP to power the detection model…
With ARP/AI and FlexVol volumes, there is no learning period required. ARP/AI is immediately active and operational upon installation or after upgrading to ONTAP 9.16.1. If ARP was already enabled on these volumes, the upgrade to ONTAP 9.16.1 will automatically activate ARP/AI for both existing and new FlexVol volumes. However, when using ARP with FlexGroup volumes in ONTAP 9.16.1, a learning period is still required.
To ensure up-to-date protection against the latest ransomware threats, ARP/AI provides frequent automatic updates outside of the standard ONTAP release cycle. These security updates can be managed through System Manager or checked manually if preferred.
What Does ARP Detect?
ARP is designed to protect against denial-of-service attacks, where an attacker holds data hostage until a ransom is paid. Its real-time ransomware detection is based on the following foundations:
- Identifying whether incoming data is encrypted or plaintext.
- Detecting the following patterns through analysis:
- Entropy: Evaluates the randomness of data within a file.
- File extension types: Flags file extensions that do not match typical or expected formats.
- File IOPS: Detects sudden spikes in volume activity consistent with data encryption (available starting with ONTAP 9.11.1).
ARP can detect most ransomware attacks after only a small number of files have been encrypted. It can then automatically take action to protect the data and alert you to the suspicious activity.
No ransomware detection or prevention system can guarantee complete immunity from an attack. However, ARP serves as a critical additional layer of defense—especially in cases where antivirus software may fail to detect a breach.
Learning and Active Modes
All ARP versions from ONTAP 9.10.1 through 9.15.1—and ARP used with FlexGroup volumes in ONTAP 9.16.1—operate in two distinct modes:
Learning Mode (also known as “dry run” mode):
This is the default mode when ARP is first enabled. In this phase, ONTAP analyzes workload behavior to develop an alert profile based on metrics like entropy, file extension types, and file IOPS.
After running in learning mode for a sufficient period—typically recommended for 30 days—ARP can transition to active mode to begin protecting data.
Starting with ONTAP 9.13.1, the system can automatically determine and apply the optimal learning period, potentially switching to active mode sooner than 30 days.
Active Mode (also known as “enabled” mode):
Once the learning phase is complete, ARP enters active mode. When a potential threat is detected, ONTAP automatically creates ARP snapshots to protect the data.
If a file extension is flagged as anomalous in this mode, administrators must either take action to protect the data or mark the alert as a false positive. Doing so updates the alert profile, ensuring that the same file extension won’t trigger another alert in the future.
From ONTAP 9.11.1 onward, ARP detection parameters can also be customized for more granular control.
Threat Assessment and ARP Snapshots
When ARP is in active mode (not in learning mode), it evaluates the threat likelihood by analyzing incoming data against learned analytics. When a threat is detected, a severity level is assigned:
- Low: The earliest detection of an anomaly in the volume (e.g., observation of a new file extension). This detection level is only available in ONTAP versions prior to 9.16.1 that do not use ARP/AI. ONTAP does not send alerts for low threats, but starting with ONTAP 9.14.1, alert settings can be modified.
- Moderate: Multiple files are observed with the same file extension that hasn’t been seen before. In ONTAP 9.10.1, this threshold was 100 or more files. From ONTAP 9.11.1 onward, this value is configurable (default is 20).
In the case of a low-level threat, ONTAP detects the anomaly and creates a snapshot of the volume to ensure the best recovery point. ARP snapshots are named with the Anti_ransomware_backup prefix for easy identification—for example, Anti_ransomware_backup.2022-12-20_124819.
If the anomaly escalates to a moderate level after an ONTAP analytic scan, the system evaluates whether the activity matches a ransomware profile. When the risk level becomes moderate, ONTAP generates an EMS notification and prompts the administrator to review the threat.
Moderate threat information can be viewed in the Events section of System Manager or via the security anti-ransomware volume show command. Individual ARP snapshots are retained for two days, while multiple snapshots are kept for five days by default. Starting with ONTAP 9.11.1, these retention settings can be modified.
Data Recovery After a Ransomware Attack
When a potential attack is suspected, the system immediately takes a volume snapshot and locks this copy. If the attack is later confirmed, the volume can be restored using the ARP snapshot. Locked snapshots cannot be deleted through normal methods. However, if you later decide to mark the attack as a false positive, the locked copy is deleted.
With information about the affected files and the time of the attack, it is possible to selectively recover affected files from various snapshots instead of reverting the entire volume to a previous snapshot. ARP is built on proven ONTAP data protection and disaster recovery technology to respond to ransomware attacks.
Let’s Take a Look at How This Works!!!
After selecting the volume in the NetApp interface and navigating to the Security tab, it can be seen that the anti-ransomware feature is disabled.
We enable the relevant feature. After this process, the system will analyze the files within the volume to identify the existing file extensions. A certain amount of time must be waited for the analysis process to complete.
Let’s summarize these steps briefly and present them to you as a short overview without going into details.
You can view the data contained within the relevant volume in the list below.
To evaluate the feature’s functionality, we will conduct a controlled virtual attack simulation.
We check the Snapshot tab on the volume again to see whether the system has taken snapshots automatically.
We observe that the system has created a snapshot named ‘Anti_ransomware_backup.2025-06-06_2007’ and that the related files have been encrypted.
The restore process is performed from the relevant snapshot, and it is observed that the files have successfully returned to their previous states.
