Protecting NetApp ONTAP Workloads with Autonomous Ransomware Protection (ARP)
NetApp ONTAP provides built-in ransomware protection through Autonomous Ransomware Protection (ARP).
Rather than relying solely on traditional antivirus software, ARP analyzes workload behavior, detects anomalies that may indicate ransomware attacks, and creates dedicated recovery snapshots.
This post explains how ARP works, how to enable it, and what actually happens behind the scenes.
Native ONTAP Autonomous Ransomware Protection (ARP)
Beginning with ONTAP 9.10.1, ONTAP administrators can enable Autonomous Ransomware Protection (ARP) to perform workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack.
ARP is built directly into ONTAP, ensuring integrated control and coordination with ONTAP’s other features. ARP operates in real-time, processing data as it’s written to or read from the file system, and detecting and responding to potential ransomware attacks quickly.
ARP creates locked snapshots at regular intervals in addition to scheduled snapshots. Snapshot retention is adjusted dynamically: snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.
Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/index.html
Determine if ARP is enabled
Run the following command to see the ransomware protection state for your volumes:
matrixselect::> security anti-ransomware volume show

To check a specific volume on a particular Storage VM (SVM), filter the command like this:
matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

Enable ARP
Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.
You can enable ARP on NAS FlexVol volumes using System Manager or the ONTAP CLI. The process differs based on your ONTAP version.
Beginning with ONTAP 9.16.1, ARP/AI is active immediately with no learning period required.
# Enable matrixselect::> security anti-ransomware volume enable -vserver svm_matrix_cifs -volume vol_cifs_data01 # Verify: matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

ARP Locked Snapshots
ARP creates locked snapshots at regular intervals in addition to scheduled snapshots.
Snapshot retention is adjusted dynamically.
Snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.
The ARP snapshots are normal ONTAP snapshots with a special naming convention, so we can list them. as usual by running the following command.
There isn’t a separate locked column in the standard snapshot listing. The lock is an internal protection mechanism used by ARP.
This is exactly the naming convention introduced in newer ONTAP releases.
NetApp distinguishes between:Anti_ransomware_periodic_backup…Anti_ransomware_attack_backup…The first is a periodic ARP snapshot, while the second would be created in response to a suspected ransomware attack.
matrixselect::> volume snapshot show -vserver svm_matrix_cifs -volume vol_cifs_data01

In ONTAP 9.18.1, ARP creates dedicated Anti_ransomware_* snapshots with an automatically managed expiry time. Although they appear as regular Snapshot copies, they are protected by the ARP subsystem and cannot be deleted while still referenced by the anti-ransomware process.
matrixselect::> volume snapshot delete -vserver svm_matrix_cifs -volume vol_cifs_data01 -snapshot Anti_ransomware_periodic_backup.2026-07-11_1515

Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/
Disable ARP
To disable Autonomous Ransomware Protection (ARP) for a volume, run the command below. The operation is performed asynchronously, and the volume temporarily enters the disable-in-progress state before ARP is fully disabled.
# Disable ARP matrixselect::> security anti-ransomware volume disable -vserver svm_matrix_cifs -volume vol_cifs_data01 # Verify matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

After a few minutes, the asynchronous operation completed and the volume state changed from
disable-in-progresstodisabled, indicating that Autonomous Ransomware Protection (ARP) had been successfully disabled.

Verifying Autonomous Ransomware Protection Licensing
ARP licensing can be verified using the system license show command. On my ONTAP Select 9.18.1 lab, the feature is provided by the dedicated Anti_ransomware license package, which is listed as enabled.
matrixselect::> system license show matrixselect::> system license show -package Anti_ransomware

Links
Learn about ONTAP Autonomous Ransomware Protection
https://docs.netapp.com/us-en/ontap/anti-ransomware/Enable ONTAP Autonomous Ransomware Protection on a volume
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-task.htmlEnable ONTAP Autonomous Ransomware Protection by default in new volumes
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-default-task.htmlOpt out of ONTAP Autonomous Ransomware Protection default enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/default-enable-change.htmlSwitch to active mode in ONTAP ARP after a learning period
https://docs.netapp.com/us-en/ontap/anti-ransomware/switch-learning-to-active-mode.htmlSecurity and data encryption
https://docs.netapp.com/us-en/ontap/security-encryption/index.htmlLicenses and enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/
Tags In
Related Posts
Latest posts
How Multicast Traffic Works in VMware vSphere – Testing VSS (Basic Multicast Filtering) vs VDS (IGMP/MLD Snooping) with Video Streaming – Part 2
Follow me on LinkedIn
