This post is Part 1 of a three-part series about NetApp ONTAP Autonomous Ransomware Protection (ARP).

NetApp ONTAP provides built-in ransomware protection through Autonomous Ransomware Protection (ARP). Rather than relying solely on traditional antivirus software, ARP analyzes workload behavior, detects anomalies that may indicate ransomware attacks, and automatically creates dedicated recovery snapshots.

ARP does not prevent ransomware from encrypting files in the first place. Instead, it is primarily a detection and recovery technology designed to identify ransomware-like activity and preserve recovery points that can be used to restore affected data.

In this first part, we’ll explore the fundamentals of ARP, including how it works, how to enable it, licensing requirements, and the protection mechanisms operating behind the scenes. In Part 2 (coming soon), we’ll validate ARP in a VMware vSphere lab by simulating a ransomware attack against a VMFS datastore backed by an ONTAP iSCSI LUN.

Finally, Part 3 (coming soon) will cover the NetApp Console Ransomware Resilience service, which extends native ARP with centralized protection, orchestration, and recovery capabilities.



Native ONTAP Autonomous Ransomware Protection (ARP)

Beginning with ONTAP 9.10.1, ONTAP administrators can enable Autonomous Ransomware Protection (ARP) to perform workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack.

ARP is built directly into ONTAP, ensuring integrated control and coordination with ONTAP’s other features. ARP operates in real-time, processing data as it’s written to or read from the file system, and detecting and responding to potential ransomware attacks quickly.

ARP creates locked snapshots at regular intervals in addition to scheduled snapshots. Snapshot retention is adjusted dynamically: snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.


Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/index.html

Determine if ARP is enabled

Run the following command to see the ransomware protection state for your volumes:

matrixselect::> security anti-ransomware volume show


To check a specific volume on a particular Storage VM (SVM), filter the command like this:

matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

Enable ARP

Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.

You can enable ARP on NAS FlexVol volumes using System Manager or the ONTAP CLI. The process differs based on your ONTAP version.

Beginning with ONTAP 9.16.1, ARP/AI is active immediately with no learning period required.

# Enable
matrixselect::> security anti-ransomware volume enable -vserver svm_matrix_cifs -volume vol_cifs_data01

# Verify:
matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01


We can also enable or disable ARP on a NAS volume by using the ONTAP System Manager.


Below, for example, I selected the root volume of the CIFS SVM, where Autonomous Ransomware Protection (ARP) is not supported.

Anti-ransomware isn’t supported for offline volumes, restricted volumes, mixed state volumes, SnapLock volumes, FlexCache volumes, volumes of stopped storage VMs, or root volumes of storage VMs.

ARP Locked Snapshots

ARP creates locked snapshots at regular intervals in addition to scheduled snapshots.

Snapshot retention is adjusted dynamically.

Snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.


The ARP snapshots are normal ONTAP snapshots with a special naming convention, so we can list them. as usual by running the following command.

There isn’t a separate locked column in the standard snapshot listing. The lock is an internal protection mechanism used by ARP.

This is exactly the naming convention introduced in newer ONTAP releases.
NetApp distinguishes between:
Anti_ransomware_periodic_backup…
Anti_ransomware_attack_backup…

The first is a periodic ARP snapshot, while the second would be created in response to a suspected ransomware attack.


matrixselect::> volume snapshot show -vserver svm_matrix_cifs -volume vol_cifs_data01


In ONTAP 9.18.1, ARP creates dedicated Anti_ransomware_* snapshots with an automatically managed expiry time. Although they appear as regular Snapshot copies, they are protected by the ARP subsystem and cannot be deleted while still referenced by the anti-ransomware process.

matrixselect::> volume snapshot delete -vserver svm_matrix_cifs -volume vol_cifs_data01 -snapshot Anti_ransomware_periodic_backup.2026-07-11_1515


Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/

Disable ARP

To disable Autonomous Ransomware Protection (ARP) for a volume, run the command below. The operation is performed asynchronously, and the volume temporarily enters the disable-in-progress state before ARP is fully disabled.

# Disable ARP
matrixselect::> security anti-ransomware volume disable -vserver svm_matrix_cifs -volume vol_cifs_data01

# Verify
matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01


After a few minutes, the asynchronous operation completed and the volume state changed from disable-in-progress to disabled, indicating that Autonomous Ransomware Protection (ARP) had been successfully disabled.

ONTAP Autonomous Ransomware Protection Auto Enablement

Beginning with ONTAP 9.18.1, Autonomous Ransomware Protection (ARP) is automatically enabled by default on all new volumes for AFF A-series and AFF C-series, ASA, and ASA r2 systems after a 12-hour warmup period following an upgrade or new installation, provided an ARP license is installed. You can opt out of this default enablement during or after the 12-hour grace period using System Manager or the ONTAP CLI.


In my lab I will use ONTAP Select version 9.18.1 on which auto-enable is not enabled by default.

matrixselect::> version


We can check the default enablement status by running:

matrixselect::> security anti-ransomware auto-enable show


We can enable default enablement for new volumes by running:

matrixselect::> security anti-ransomware auto-enable modify -new-volume-auto-enable true

# to disable
matrixselect::> security anti-ransomware auto-enable modify -new-volume-auto-enable false


Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/default-enable-change.html

Verifying Autonomous Ransomware Protection Licensing

ARP licensing can be verified using the system license show command. On my ONTAP Select 9.18.1 lab, the feature is provided by the dedicated Anti_ransomware license package, which is listed as enabled.

matrixselect::> system license show
matrixselect::> system license show -package Anti_ransomware

Links

Learn about ONTAP Autonomous Ransomware Protection
https://docs.netapp.com/us-en/ontap/anti-ransomware/

Enable ONTAP Autonomous Ransomware Protection on a volume
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-task.html

Enable ONTAP Autonomous Ransomware Protection by default in new volumes
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-default-task.html

Opt out of ONTAP Autonomous Ransomware Protection default enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/default-enable-change.html

Switch to active mode in ONTAP ARP after a learning period
https://docs.netapp.com/us-en/ontap/anti-ransomware/switch-learning-to-active-mode.html

Security and data encryption
https://docs.netapp.com/us-en/ontap/security-encryption/index.html

Licenses and enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/

Autonomous Ransomware Protection for NFS and VMFS
https://docs.netapp.com/us-en/netapp-solutions-virtualization/vmware/vmw-arp-nfs-vmfs.html

Restore data from ONTAP ARP snapshots after a ransomware attack
https://docs.netapp.com/us-en/ontap/anti-ransomware/recover-data-task.html