Sign in to my dashboard Create an account

Prevent ransomware spread with ONTAP automatic ransomware protection

New anti-ransomware automatic detection feature included in the latest release of the NetApp ONTAP data management software.

Security image

Share this page

Matt Trudewind Author Photo
Matt Trudewind

Everyone knows that a ransomware attack is one of the top cybersecurity threats an organization can face. The potential damage is not just the direct associated recovery costs (which increased 241% between 2019 and 2020, according to Sophos); it’s also the impact on the company’s reputation and brand. Fortunately, NetApp has been helping our customers protect themselves from ransomware for years, in both detection and remediation. I covered this subject in my blog series, Fighting Ransomware. Today, our already strong protection capabilities are taking an additional leap forward with the announcement of the new anti-ransomware automatic detection feature in the latest release of NetApp® ONTAP® data management software.

Ransomware protection requires more than just detection, which is why ONTAP includes comprehensive recovery capabilities like a logical air gap and many others. You can learn about these remediation features in Fighting Ransomware, Part Six. In this blog, I’ll focus on detection and on recent innovations in ONTAP.

Layered defense, the right approach to ransomware detection

It’s important for ransomware detection to occur as early as possible so that you can prevent its spread and avoid costly downtime. However, an effective ransomware detection strategy should include more than a single layer of protection. A good analogy is the safety features of a vehicle for protection in a crash. You wouldn’t want to rely on a single feature, such as a seatbelt, to protect you in an accident. Air bags, antilock brakes, and even forward-collision warning are additional safety features that can result in a much better outcome. Ransomware protection should be viewed in the same way.

For example, NetApp FPolicy in combination with NetApp Cloud Insights, or similar capabilities from our partners, do an excellent job of detecting ransomware via user behavioral analytics (UBA). They look for potential ransomware attacks from the aspect of an individual user’s behavior. Hijacking a single user account is just one avenue a hacker might take when launching a ransomware attack; malicious actors are constantly evolving their attack techniques.

NetApp Active IQ® and Active IQ Unified Manager also provide additional layers of detection for ransomware. Active IQ checks ONTAP systems for adherence to NetApp configuration best practices like enabling FPolicy. Active IQ Unified Manager generates alerts for abnormal growth of NetApp Snapshot™ copies or storage efficiency loss, which can indicate potential ransomware attacks.

This is where the new anti-ransomware feature in the latest release of ONTAP comes into play. It leverages built-in on-box machine learning (ML) that looks at volume workload activity plus data entropy to automatically detect ransomware. It keeps an eye out for activity that is different from UBA, so it may detect attacks that UBA does not. 

On-box machine learning and automatic detection

ONTAP anti-ransomware protection is provided as part of the Security and Compliance software bundle. Customers who already have the bundle only need to upgrade to the latest ONTAP version (9.10.1) to take advantage of the feature. It’s configurable via the ONTAP built-in management interface, System Manager, and is enabled on a per-volume basis.

The anti-ransomware feature starts off in learning mode. NetApp recommends a period of at least 30 days, so that the ML gets a chance to understand the typical workloads on the NAS volumes. Once anti-ransomware is put into active mode, it starts looking for the abnormal volume activity that might potentially be ransomware. 


If abnormal activity is detected, an automatic Snapshot copy is immediately taken, which  provides a restoration point as close as possible to the file infection. Simultaneously, an automatic alert is generated that allows administrators to see the abnormal file activity so that they can determine whether the activity is indeed malicious and take appropriate action. Or, if the activity was an expected workload, they can easily mark it as a false positive; the anti-ransomware ML notes the change in workload and no longer flags it as a potential attack. In addition, the feature does not disrupt I/O in any way. Instead, it provides administrators with native analytics, insights, and data recovery capabilities for unprecedented on-box ransomware detection. The anti-ransomware feature makes it easier than ever to enable automatic ransomware detection for your NAS workloads in ONTAP.

Ransomware has evolved, and detection has too

Two things are clear: Ransomware is a continuous threat that shows no signs of slowing down, and it must be dealt with in a holistic way. The methods that hackers use are only going to evolve in the future. That’s why NetApp is constantly evolving our ransomware protection capabilities  too! By adding additional layers of detection, you can be better prepared when a ransomware attack strikes. NetApp delivers a leading range of detection capabilities, such as the new on-box anti-ransomware machine learning with automatic alerting, in addition to automatic Snapshot copies, NetApp FPolicy, Cloud Insights, Active IQ and Active IQ Unified Manager.

Remember too that ransomware detection is just one part of an overall ransomware protection strategy that also includes recovery. ONTAP Snapshot and recovery capabilities, along with SnapLock®, our logical air gap solution, are key to avoiding costly downtime, preventing damage to brand reputation, and avoiding paying the ransom.

You can learn more about the NetApp portfolio in the blog Power Your Ransomware Protection with NetApp.

For more detailed information about the comprehensive ransomware capabilities in ONTAP, check out my Fighting Ransomware blog series.

Matt Trudewind

Now on his 2nd tour at NetApp across 10 years, Matt is a Security Evangelist with a primary focus on ransomware prevention and recovery, cyber resiliency, and data-centric portfolio security. This includes but is not limited to Zero Trust, Data Governance and Privacy Frameworks, Security Tools, and Security Best Practices. Prior to this Matt held the dual role of Product Manager and Technical Marketing Engineer for ONTAP Security driving the latest security features and capabilities into NetApp’s flagship product. He has also held the position of Staff Engineer at NetApp during which he focused on ONTAP product Supportability specifically in the areas of networking and SMB/CIFS. In between NetApp stints Matt worked with a NetApp partner (Eze Castle Integration) for 7 years as pre sales/post sales storage architect focusing on early 7-mode to cDOT migration. He has also focused on Microsoft Windows Active Directory, Exchange, SQL and VMware during his 23 years of IT experience with 17 of those years coming in the storage industry. Prior to NetApp and ECI, Matt worked a contract at Microsoft as a Technical Support Engineer.

View all Posts by Matt Trudewind

Next Steps

Drift chat loading