What actions can be taken in ONTAP to prevent the spread of ransomware infections?
Applies to
- ONTAP 9.10.1
- ONTAP Autonomous Ransomware Protection(ARP)
Answer
Work with your Security Team to identify and remediate the source of the ransomware attack.
Phase 1: Detection and Initial Response
- Use ARP to detect abnormal file activity: ARP monitors workload behavior and can trigger alerts and snapshots upon detection.
- Proactively enable CIFS / NAS auditing to trace abnormal file share activity.
- Use Data Infrastructure Insights that integretes ARP event and FPolicy to monitor ARP alert and abnormal client access activity.
Phase 2: Containment Measures to Prevent Further Ransomware Propagation
- Stop accepting new client access (New Sessions)
- CIFS
- Verify existing CIFS shares: vserver cifs share show
- Stop CIFS share access: vserver cifs share delete
- NFS
- Identify active NFS locks:
vserver locks show -vserver <vserver> -volume <volume> -protocol nfs*
- Identify active NFS locks:
- CIFS
Note:
Clients holding a large number of locks are likely candidates for infection sources and should be prioritized for blocking.
- Block access from specific clients
- Modify existing export policy Or create a new deny rule:
vserver export-policy rule modify -clientmatch <client IP or subnet> -rorule none -rwrule nonevserver export-policy rule create -clientmatch <client IP or subnet> -rorule none -rwrule none
- Modify existing export policy Or create a new deny rule:
Note:
NFS does not provide strong session-level disconnection capabilities, even after applying export-policy restrictions, existing client I/O may continue for a period of time. To fully stop I/O, volume isolation (see section 4) is recommended.
- Terminate Existing CIFS Sessions
- Identify active CIFS sessions and locks:
vserver cifs session show -vserver <vserver>vserver locks show -vserver <vserver> -volume <volume> -protocol cifs
- Terminate specific sessions (by user/client/file access):
- Identify active CIFS sessions and locks:
- Stop CIFS / NFS Services
vserver cifs stop -vserver <vserver>vserver nfs stop -vserver <vserver>
- Volume Isolation:
- Take the affected volume offline to stop all I/O:
volume offline -vserver <vserver> -volume <volume>
- Take the affected volume offline to stop all I/O:
- Data LIF Isolation:
- Identify data LIFs:
network interface show -role data - Disable data LIFs:
network interface modify -status-admin down -vserver <vserver> -lif <data LIF>
- Identify data LIFs:
|
WARNING Intercluster LIFs are dedicated logical interfaces used for cross‑cluster communication, enabling SnapMirror/SnapVault replication, NDMP backup, cluster peering, and data transport to external object storage (e.g., FabricPool/cloud). Connection via intercluster LIF fails when LIF is disabled.
|
- (Optional) Intercluster LIF Isolation:
- Preventing any further data replication or propagation of potentially compromised data.
- Identify intercluster LIFs: network interface show -role intercluster
- Disable intercluster LIFs: network interface modify -status-admin down -vserver <vserver> -lif <intercluster LIF>
- Preventing any further data replication or propagation of potentially compromised data.
Phase 3: Impact Assessment
Identify affected scope using the following logs:
-
ARP reports: Identify affected directories and volumes
-
Audit logs (CIFS / NFS): Identify client access activities, including accessed files, client IP addresses, access patterns, and timeline of the attack.
Phase 4: Recovery
Restore data using ARP-generated Snapshot copies prior to the event.
Additional Information
- If unable to restore snapshot from System Manager, try using the CLI instead.
- See also NetApp KB: Snapshot restore fails with error message: Failed to promote Snapshot copy snapshot-name