Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Protecting your data with Autonomous Ransomware Protection

PDF
RSS
Focus mode
Protecting your data with Autonomous Ransomware Protection - FSx for ONTAP
How ARP worksWhat ARP looks forHow to respond to a suspected attack with ARP

Autonomous Ransomware Protection (ARP) is a NetApp ONTAP AI-driven feature that monitors and protects your data against ransomware and malware attacks if your Windows or Linux clients become compromised. Using machine learning, ARP becomes familiar with your FSx for ONTAP file systems to proactively detect abnormal activity. ARP is available for all new and existing FSx for ONTAP file systems in all AWS Regions where Amazon FSx for NetApp ONTAP is available.

How ARP works

You can enable ARP on a per-volume basis or by default on all new volumes in an SVM using the ONTAP CLI or REST API. For more information about enabling ARP, see Enabling Autonomous Ransomware Protection.

ARP operates in two modes: learning and active. When you first enable ARP for your FSx for ONTAP volume, it runs in learning mode. In learning mode, ARP analyzes your workload access patterns. ONTAP automatically determines the optimal learning period based on your volume's workload, which might take up to 30 days. When it's done, ARP transitions to active mode. In active mode, ARP monitors incoming data and activity on the volume to identify potential ransomware and malware attacks. For more information, see What ARP looks for. If ARP detects any abnormal activity, an ONTAP snapshot is automatically created to help you recover your data as close as possible to the time of the potential attack. The snapshot will have a prefix of Anti_ransomware_backup, so it's easy to identify. If it's determined that the attack probability is moderate, ONTAP will generate an Events Management System (EMS) message for you to review. For more information, see How to respond to a suspected attack with ARP and Understanding EMS alerts for Autonomous Ransomware Protection.

The performance overhead for ARP is minimal for most workloads. If your volumes have read-intensive workloads, NetApp recommends protecting no more than 150 such volumes per file system. If you exceed this number, the IOPS for that workload might drop by up to 4%. If your volumes have write-intensive workloads, NetApp recommends protecting no more than 60 such volumes per file system. Otherwise, the IOPS for that workload might drop by up to 10%. For more information about performance, see Amazon FSx for NetApp ONTAP performance.

There is no additional cost for enabling ARP on your FSx for ONTAP file system.

What ARP looks for

ARP looks for signs that your Windows or Linux clients are compromised. Once ARP has learned about your FSx for ONTAP volume and switched to active mode, it looks for the following types of activity on the volume:

  • Changes in entropy, which means differences in the randomness of data in a file.

  • Changes in file extension types, which means that the new extension isn't consistent with the normally used extension type. The default is 20 files with file extensions not previously observed in the volume.

  • Changes in file IOPS, which means a surge in abnormal volume activity with encrypted data.

You can modify the ransomware detection parameters for your volume if necessary. For example, if your volume hosts many types of file extensions. For more information, see Manage ONTAP Autonomous Ransomware Protection attack detection parameters in the NetApp Documentation Center.

Note

ARP doesn't prevent rogue administrators with credentials from accessing your FSx for ONTAP file system. AWS recommends a layered security approach including AWS Backup, ONTAP snapshots, and SnapLock.

How to respond to a suspected attack with ARP

If ARP detects an attack, it will generate a snapshot that can be used as a recovery point. The snapshot is locked and can't be deleted by normal means. Depending on the severity of the attack, it will also generate an EMS alert that shows the affected volume, the attack probability, and the attack timeline. If you want to receive alerts for the creation of a new snapshot or the observation of a new file extension on your volume, you can configure ARP to send these alerts. For more information, see Configure ARP alerts in the NetApp Documentation Center.

You can generate a report to view detailed information on a suspected attack. After you review the report, you can tell ONTAP if the alert was generated by a false positive or a suspected attack. If you label the alert as a suspected attack, you should determine the scope of the attack and then recover data from the ARP-created snapshot. If you label the attack as a false positive, the ARP-created snapshot is automatically deleted. For more information, see Responding to Autonomous Ransomware Protection alerts.

We recommend monitoring your file system's EMS messages and the status of your volumes in the ONTAP CLI and REST API. For more information about EMS messages for ARP, see Understanding EMS alerts for Autonomous Ransomware Protection.

Topics

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.