NetApp ONTAP provides built-in ransomware protection through Autonomous Ransomware Protection (ARP).

Rather than relying solely on traditional antivirus software, ARP analyzes workload behavior, detects anomalies that may indicate ransomware attacks, and creates dedicated recovery snapshots.

This post explains how ARP works, how to enable it, and what actually happens behind the scenes.



Native ONTAP Autonomous Ransomware Protection (ARP)

Beginning with ONTAP 9.10.1, ONTAP administrators can enable Autonomous Ransomware Protection (ARP) to perform workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack.

ARP is built directly into ONTAP, ensuring integrated control and coordination with ONTAP’s other features. ARP operates in real-time, processing data as it’s written to or read from the file system, and detecting and responding to potential ransomware attacks quickly.

ARP creates locked snapshots at regular intervals in addition to scheduled snapshots. Snapshot retention is adjusted dynamically: snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.


Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/index.html

Determine if ARP is enabled

Run the following command to see the ransomware protection state for your volumes:

matrixselect::> security anti-ransomware volume show


To check a specific volume on a particular Storage VM (SVM), filter the command like this:

matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

Enable ARP

Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.

You can enable ARP on NAS FlexVol volumes using System Manager or the ONTAP CLI. The process differs based on your ONTAP version.

Beginning with ONTAP 9.16.1, ARP/AI is active immediately with no learning period required.

# Enable
matrixselect::> security anti-ransomware volume enable -vserver svm_matrix_cifs -volume vol_cifs_data01

# Verify:
matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

ARP Locked Snapshots

ARP creates locked snapshots at regular intervals in addition to scheduled snapshots.

Snapshot retention is adjusted dynamically.

Snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.


The ARP snapshots are normal ONTAP snapshots with a special naming convention, so we can list them. as usual by running the following command.

There isn’t a separate locked column in the standard snapshot listing. The lock is an internal protection mechanism used by ARP.

This is exactly the naming convention introduced in newer ONTAP releases.
NetApp distinguishes between:
Anti_ransomware_periodic_backup…
Anti_ransomware_attack_backup…

The first is a periodic ARP snapshot, while the second would be created in response to a suspected ransomware attack.


matrixselect::> volume snapshot show -vserver svm_matrix_cifs -volume vol_cifs_data01


In ONTAP 9.18.1, ARP creates dedicated Anti_ransomware_* snapshots with an automatically managed expiry time. Although they appear as regular Snapshot copies, they are protected by the ARP subsystem and cannot be deleted while still referenced by the anti-ransomware process.

matrixselect::> volume snapshot delete -vserver svm_matrix_cifs -volume vol_cifs_data01 -snapshot Anti_ransomware_periodic_backup.2026-07-11_1515


Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/

Disable ARP

To disable Autonomous Ransomware Protection (ARP) for a volume, run the command below. The operation is performed asynchronously, and the volume temporarily enters the disable-in-progress state before ARP is fully disabled.

# Disable ARP
matrixselect::> security anti-ransomware volume disable -vserver svm_matrix_cifs -volume vol_cifs_data01

# Verify
matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01


After a few minutes, the asynchronous operation completed and the volume state changed from disable-in-progress to disabled, indicating that Autonomous Ransomware Protection (ARP) had been successfully disabled.

Verifying Autonomous Ransomware Protection Licensing

ARP licensing can be verified using the system license show command. On my ONTAP Select 9.18.1 lab, the feature is provided by the dedicated Anti_ransomware license package, which is listed as enabled.

matrixselect::> system license show
matrixselect::> system license show -package Anti_ransomware

Links

Learn about ONTAP Autonomous Ransomware Protection
https://docs.netapp.com/us-en/ontap/anti-ransomware/

Enable ONTAP Autonomous Ransomware Protection on a volume
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-task.html

Enable ONTAP Autonomous Ransomware Protection by default in new volumes
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-default-task.html

Opt out of ONTAP Autonomous Ransomware Protection default enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/default-enable-change.html

Switch to active mode in ONTAP ARP after a learning period
https://docs.netapp.com/us-en/ontap/anti-ransomware/switch-learning-to-active-mode.html

Security and data encryption
https://docs.netapp.com/us-en/ontap/security-encryption/index.html

Licenses and enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/