Protecting NetApp ONTAP Workloads with Autonomous Ransomware Protection (ARP) – Part 1 – Fundamentals
This post is Part 1 of a three-part series about NetApp ONTAP Autonomous Ransomware Protection (ARP).
NetApp ONTAP provides built-in ransomware protection through Autonomous Ransomware Protection (ARP). Rather than relying solely on traditional antivirus software, ARP analyzes workload behavior, detects anomalies that may indicate ransomware attacks, and automatically creates dedicated recovery snapshots.
ARP does not prevent ransomware from encrypting files in the first place. Instead, it is primarily a detection and recovery technology designed to identify ransomware-like activity and preserve recovery points that can be used to restore affected data.
In this first part, we’ll explore the fundamentals of ARP, including how it works, how to enable it, licensing requirements, and the protection mechanisms operating behind the scenes. In Part 2 (coming soon), we’ll validate ARP in a VMware vSphere lab by simulating a ransomware attack against a VMFS datastore backed by an ONTAP iSCSI LUN.
Finally, Part 3 (coming soon) will cover the NetApp Console Ransomware Resilience service, which extends native ARP with centralized protection, orchestration, and recovery capabilities.
Native ONTAP Autonomous Ransomware Protection (ARP)
Beginning with ONTAP 9.10.1, ONTAP administrators can enable Autonomous Ransomware Protection (ARP) to perform workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack.
ARP is built directly into ONTAP, ensuring integrated control and coordination with ONTAP’s other features. ARP operates in real-time, processing data as it’s written to or read from the file system, and detecting and responding to potential ransomware attacks quickly.
ARP creates locked snapshots at regular intervals in addition to scheduled snapshots. Snapshot retention is adjusted dynamically: snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.
Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/index.html
Determine if ARP is enabled
Run the following command to see the ransomware protection state for your volumes:
matrixselect::> security anti-ransomware volume show

To check a specific volume on a particular Storage VM (SVM), filter the command like this:
matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

Enable ARP
Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.
You can enable ARP on NAS FlexVol volumes using System Manager or the ONTAP CLI. The process differs based on your ONTAP version.
Beginning with ONTAP 9.16.1, ARP/AI is active immediately with no learning period required.
# Enable matrixselect::> security anti-ransomware volume enable -vserver svm_matrix_cifs -volume vol_cifs_data01 # Verify: matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

We can also enable or disable ARP on a NAS volume by using the ONTAP System Manager.

Below, for example, I selected the root volume of the CIFS SVM, where Autonomous Ransomware Protection (ARP) is not supported.
Anti-ransomware isn’t supported for offline volumes, restricted volumes, mixed state volumes, SnapLock volumes, FlexCache volumes, volumes of stopped storage VMs, or root volumes of storage VMs.

ARP Locked Snapshots
ARP creates locked snapshots at regular intervals in addition to scheduled snapshots.
Snapshot retention is adjusted dynamically.
Snapshots are recycled quickly when no unusual activity is detected, and snapshots taken before a detected attack are retained longer for investigation and recovery.
The ARP snapshots are normal ONTAP snapshots with a special naming convention, so we can list them. as usual by running the following command.
There isn’t a separate locked column in the standard snapshot listing. The lock is an internal protection mechanism used by ARP.
This is exactly the naming convention introduced in newer ONTAP releases.
NetApp distinguishes between:Anti_ransomware_periodic_backup…Anti_ransomware_attack_backup…The first is a periodic ARP snapshot, while the second would be created in response to a suspected ransomware attack.
matrixselect::> volume snapshot show -vserver svm_matrix_cifs -volume vol_cifs_data01

In ONTAP 9.18.1, ARP creates dedicated Anti_ransomware_* snapshots with an automatically managed expiry time. Although they appear as regular Snapshot copies, they are protected by the ARP subsystem and cannot be deleted while still referenced by the anti-ransomware process.
matrixselect::> volume snapshot delete -vserver svm_matrix_cifs -volume vol_cifs_data01 -snapshot Anti_ransomware_periodic_backup.2026-07-11_1515

Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/
Disable ARP
To disable Autonomous Ransomware Protection (ARP) for a volume, run the command below. The operation is performed asynchronously, and the volume temporarily enters the disable-in-progress state before ARP is fully disabled.
# Disable ARP matrixselect::> security anti-ransomware volume disable -vserver svm_matrix_cifs -volume vol_cifs_data01 # Verify matrixselect::> security anti-ransomware volume show -vserver svm_matrix_cifs -volume vol_cifs_data01

After a few minutes, the asynchronous operation completed and the volume state changed from
disable-in-progresstodisabled, indicating that Autonomous Ransomware Protection (ARP) had been successfully disabled.

ONTAP Autonomous Ransomware Protection Auto Enablement
Beginning with ONTAP 9.18.1, Autonomous Ransomware Protection (ARP) is automatically enabled by default on all new volumes for AFF A-series and AFF C-series, ASA, and ASA r2 systems after a 12-hour warmup period following an upgrade or new installation, provided an ARP license is installed. You can opt out of this default enablement during or after the 12-hour grace period using System Manager or the ONTAP CLI.
In my lab I will use ONTAP Select version 9.18.1 on which auto-enable is not enabled by default.
matrixselect::> version

We can check the default enablement status by running:
matrixselect::> security anti-ransomware auto-enable show

We can enable default enablement for new volumes by running:
matrixselect::> security anti-ransomware auto-enable modify -new-volume-auto-enable true # to disable matrixselect::> security anti-ransomware auto-enable modify -new-volume-auto-enable false

Source: https://docs.netapp.com/us-en/ontap/anti-ransomware/default-enable-change.html
Verifying Autonomous Ransomware Protection Licensing
ARP licensing can be verified using the system license show command. On my ONTAP Select 9.18.1 lab, the feature is provided by the dedicated Anti_ransomware license package, which is listed as enabled.
matrixselect::> system license show matrixselect::> system license show -package Anti_ransomware

Links
Learn about ONTAP Autonomous Ransomware Protection
https://docs.netapp.com/us-en/ontap/anti-ransomware/Enable ONTAP Autonomous Ransomware Protection on a volume
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-task.htmlEnable ONTAP Autonomous Ransomware Protection by default in new volumes
https://docs.netapp.com/us-en/ontap/anti-ransomware/enable-default-task.htmlOpt out of ONTAP Autonomous Ransomware Protection default enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/default-enable-change.htmlSwitch to active mode in ONTAP ARP after a learning period
https://docs.netapp.com/us-en/ontap/anti-ransomware/switch-learning-to-active-mode.htmlSecurity and data encryption
https://docs.netapp.com/us-en/ontap/security-encryption/index.htmlLicenses and enablement
https://docs.netapp.com/us-en/ontap/anti-ransomware/Autonomous Ransomware Protection for NFS and VMFS
https://docs.netapp.com/us-en/netapp-solutions-virtualization/vmware/vmw-arp-nfs-vmfs.htmlRestore data from ONTAP ARP snapshots after a ransomware attack
https://docs.netapp.com/us-en/ontap/anti-ransomware/recover-data-task.html
Tags In
Latest posts
Protecting NetApp ONTAP Workloads with Autonomous Ransomware Protection (ARP) – Part 1 – Fundamentals
Follow me on LinkedIn
