I tried using Autonomous Ransomware Protection with AI (ARP/AI), a ransomware detection feature that requires no pre-learning, with Amazon FSx for NetApp ONTAP
This page has been translated by machine translation. View original
Ransomware Countermeasures Made Easy
Hello, I'm nonpi (@non____97).
Have you ever wanted an easy way to implement ransomware countermeasures while operating a file server? I certainly have.
Previously, I introduced Amazon FSx for NetApp ONTAP's (hereafter FSxN) Autonomous Ransomware Protection (ARP).
By using this feature, you can detect abnormal activity in the file system and capture a Snapshot at that point in time.
However, to use this feature, a learning period was required.
While it would eventually learn to detect based on your workload, it was quite cumbersome.
ARP/AI is what reduces the hassle of this learning period.
ARP/AI uses NetApp's pre-trained AI model, allowing you to use it immediately without setting up a learning period.
ARP/AI has received the highest AAA rating in a report by SE Labs, indicating it's highly regarded.
This feature is available from ONTAP 9.16.1, but since I hadn't tried it yet, I'll give it a go.
ARP has been upgraded with new AI capabilities that can detect and respond to ransomware attacks with 99% accuracy and recall. The AI is trained on a comprehensive dataset, eliminating the learning period previously required to run ARP on FlexVols, and ARP/AI starts immediately in active mode. ARP/AI also includes automatic updates, ensuring continuous protection and resilience against the latest threats.
Let's Try It
Let's actually test it.
I'll mount the FSxN volume from an NFS client.
$ sudo mkdir -p /mnt/fsxn/vol1
$ sudo mount -t nfs svm-0391631db3412d33e.fs-01afbfc61d098d8f9.fsx.us-east-1.amazonaws.com:/vol1 /mnt/fsxn/vol1
$ df -hT -t nfs4
Filesystem Type Size Used Avail Use% Mounted on
svm-0391631db3412d33e.fs-01afbfc61d098d8f9.fsx.us-east-1.amazonaws.com:/vol1 nfs4 973G 114G 860G 12% /mnt/fsxn/vol1
I'll SSH into the FSxN file system and check the current state of ARP.
::> version
NetApp Release 9.17.1P4: Thu Jan 15 22:33:51 UTC 2026
::> security anti-ransomware volume ?
attack> Anti-ransomware Volume Suspected Attack Related Details/operations
attack-detection-parameters> Manage attack detection parameters of anti-ransomware enabled volume
auto-switch-to-enable-mode> The auto-switch-to-enable-mode directory
disable Disable anti-ransomware on a volume
dry-run Dry-run anti-ransomware on a volume
enable Enable anti-ransomware on a volume
entropy-stat> Manage Anti-Ransomware Volume Entropy Stats
event-log> The event-log directory
pause Pause anti-ransomware on a volume
resume Resume anti-ransomware on a volume
show Show anti-ransomware related information of volumes
space> Manage space usage of anti-ransomware enabled volume
workload-behavior> Manage anti-ransomware operations on the volume
::>
::> security anti-ransomware volume show
Vserver Volume State Dry Run Start Time
---------- ---------------- ---------------- ------------------
svm vol1 disabled -
::> vserver show -vserver svm -fields anti-ransomware-default-volume-state
vserver anti-ransomware-default-volume-state
------- ------------------------------------
svm disabled
ARP is disabled.
I'll enable it.
::> security anti-ransomware volume dry-run -vserver svm -volume vol1
::> security anti-ransomware volume show
Vserver Volume State Dry Run Start Time
---------- ---------------- ---------------- ------------------
svm vol1 enabled -
::> security anti-ransomware volume show -instance
Vserver Name: svm
Volume Name: vol1
State: enabled
Dry Run Start Time: -
Attack Probability: none
Attack Timeline: -
Number of Attacks: -
Attack Detected By: -
Block Device Detection Status: -
Block Device Evaluation Start-time: -
::> security anti-ransomware volume attack-detection-parameters show -vserver svm -volume vol1
Vserver Name : svm
Volume Name : vol1
Block Device Auto Learned Encryption Threshold : 0
Is Detection Based on High Entropy Data Rate? : true
Is Detection Based on Never Seen before File Extension? : true
Is Detection Based on File Create Rate? : true
Is Detection Based on File Rename Rate? : true
Is Detection Based on File Delete Rate? : true
Is Detection Relaxing Popular File Extensions? : true
High Entropy Data Surge Notify Percentage : 100
File Create Rate Surge Notify Percentage : 100
File Rename Rate Surge Notify Percentage : 100
File Delete Rate Surge Notify Percentage : 100
Never Seen before File Extensions Count Notify Threshold : 5
Never Seen before File Extensions Duration in Hour : 48
::> security anti-ransomware volume workload-behavior show -vserver svm -volume vol1
Vserver: svm
Volume: vol1
File Extensions Observed: -
Number of File Extensions Observed: -
Historical Statistics
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Surge Observed
Surge Timeline: -
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Newly Observed File Extensions: -
Number of Newly Observed File Extensions: -
::>
I specified dry-run, but it immediately went into active mode.
It seems the ability to customize detection based on individual workloads through a learning period is no longer available.
This behavior is also documented in the NetApp KB.
No.
For precautions regarding ARP itself, please refer to my previous article.
Now, I'll create 1,000 files of 16MB each with random strings and random extensions.
For reference, NetApp KB introduces the following method for detection testing:
This is a simple test relying on never seen before file extensions
- Create an archive with some files inside
- Change the extension to contain numbers + letters e.g.: test.zzz123
- Create at least 5 copies of the archive using the same extension, similar to test.zzz123; test2.zzz123; test3.zzz123; .....
- Reduced the "Never Seen before File Extensions Count Notify Threshold" to 5
- Copy or move the files to the test volume (using the share or mount) where you want to test ARP
- Give the system up to 10 minutes to generate a warning.
How to test ARP is active and working - NetApp Knowledge Base
$ for i in $(seq 1 1000); do
EXT=$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 6)
sudo dd if=/dev/urandom of="/mnt/fsxn/vol1/file_${i}.${EXT}" bs=1M count=16
done
16+0 records in
16+0 records out
16777216 bytes (17 MB, 16 MiB) copied, 0.10994 s, 153 MB/s
16+0 records in
16+0 records out
16777216 bytes (17 MB, 16 MiB) copied, 0.0803059 s, 209 MB/s
.
.
(omitted)
.
.
$ df -hT -t nfs4Filesystem Type Size Used Avail Use% Mounted on
svm-0391631db3412d33e.fs-01afbfc61d098d8f9.fsx.us-east-1.amazonaws.com:/vol1 nfs4 973G 129G 844G 14% /mnt/fsxn/vol1
$ ls -l /mnt/fsxn/vol1/ | head
total 16456000
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_1.la9w7b
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_10.1dkyik
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_100.f7gdie
-rw-r--r--. 1 root root 16777216 Mar 31 08:17 file_1000.3yyk12
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_101.9htscr
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_102.9r7aau
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_103.xsx0r8
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_104.hkmv8n
-rw-r--r--. 1 root root 16777216 Mar 31 08:14 file_105.rgtor5
After creating the files, I'll check the status of ARP.
::*> date show
(cluster date show)
Node Date Time zone
--------- ------------------------- -------------------------
FsxId01afbfc61d098d8f9-01
3/31/2026 08:20:24 +00:00 Etc/UTC
FsxId01afbfc61d098d8f9-02
3/31/2026 08:20:24 +00:00 Etc/UTC
2 entries were displayed.
::*> security anti-ransomware volume show -instance
Vserver Name: svm
Volume Name: vol1
State: enabled
Dry Run Start Time: -
Attack Probability: none
Attack Timeline: -
Number of Attacks: -
Attack Detected By: -
Block Device Detection Status: -
Block Device Evaluation Start-time: -
::*> security anti-ransomware volume workload-behavior show -vserver svm -volume vol1
Vserver: svm
Volume: vol1
File Extensions Observed: -
Number of File Extensions Observed: -
Historical Statistics
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Surge Observed
Surge Timeline: -
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Newly Observed File Extensions: -
Number of Newly Observed File Extensions: -
::*> snapshot show -volume vol1 -fields create-time, snapmirror-label, snaplock-expiry-time
vserver volume snapshot create-time snapmirror-label snaplock-expiry-time
------- ------ ----------------------------------------------- ------------------------ --------------------------- --------------------
svm vol1 Anti_ransomware_periodic_backup.2026-03-31_0806 Tue Mar 31 08:06:20 2026 anti-ransomware-main-backup -
While the status hasn't changed to moderate, a Snapshot has been taken.
I'll wait another 10 minutes.
::*> date show
(cluster date show)
Node Date Time zone
--------- ------------------------- -------------------------
FsxId01afbfc61d098d8f9-01
3/31/2026 08:28:52 +00:00 Etc/UTC
FsxId01afbfc61d098d8f9-02
3/31/2026 08:28:52 +00:00 Etc/UTC
2 entries were displayed.
::*> security anti-ransomware volume show -instance
Vserver Name: svm
Volume Name: vol1
State: enabled
Dry Run Start Time: -
Attack Probability: none
Attack Timeline: -
Number of Attacks: -
Attack Detected By: -
Block Device Detection Status: -
Block Device Evaluation Start-time: -
::*> security anti-ransomware volume workload-behavior show -vserver svm -volume vol1
Vserver: svm
Volume: vol1
File Extensions Observed: la9w7b, 0yelue, 439s6p,
65rsbk, m53m3f, fuw76q,
hxgak2, s2zyn9, 1dkyik,
yfmxqu, 85cg6u, 7vrfw4,
32ztmo, qq2fdb, qaw72c,
dic56o, 9peppc, hm0j0k,
pwa184, p6gu7d, aw985b,
cugl4z, 52aw2m, jryqle,
lx0vgw, 6mj8l1, k8xukb,
dx84ex, o0frfq, 7550zm,
29m9qr, m9qhl0, ddrljh,
9ckqgg, qxprwy, 2gggor,
kdtysz, eiohez, lajz38,
kfcxu6, 8w6scn, o4vt4q,
qz15wn, qbmj3q, f2yjtp,
ht8bdr, ido41b, 2lum80,
siy7sc, niilhm
Number of File Extensions Observed: 1000
Historical Statistics
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Surge Observed
Surge Timeline: -
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Newly Observed File Extensions: la9w7b, 0yelue, 439s6p,
65rsbk, m53m3f, fuw76q,
hxgak2, s2zyn9, 1dkyik,
.
.
(omitted)
.
.
fo0pwh, bctzxf, 3yyk12,
oxscjt, iwtsxu, lxmmph,
pbmp3v, 2wbb3i, 9zy7j3,
pdw5qg
Number of Newly Observed File Extensions: 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
.
.
(omitted)
.
.
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1
::*> date show
(cluster date show)
Node Date Time zone
--------- ------------------------- -------------------------
FsxId01afbfc61d098d8f9-01
3/31/2026 08:58:08 +00:00 Etc/UTC
FsxId01afbfc61d098d8f9-02
3/31/2026 08:58:08 +00:00 Etc/UTC
2 entries were displayed.
::*> security anti-ransomware volume show -instance
Vserver Name: svm
Volume Name: vol1
State: enabled
Dry Run Start Time: -
Attack Probability: none
Attack Timeline: -
Number of Attacks: -
Attack Detected By: -
Block Device Detection Status: -
Block Device Evaluation Start-time: -
::*> security anti-ransomware volume workload-behavior show -vserver svm -volume vol1
Vserver: svm
Volume: vol1
File Extensions Observed: la9w7b, 0yelue, 439s6p,
65rsbk, m53m3f, fuw76q,
hxgak2, s2zyn9, 1dkyik,
yfmxqu, 85cg6u, 7vrfw4,
32ztmo, qq2fdb, qaw72c,
dic56o, 9peppc, hm0j0k,
pwa184, p6gu7d, aw985b,
cugl4z, 52aw2m, jryqle,
lx0vgw, 6mj8l1, k8xukb,
dx84ex, o0frfq, 7550zm,
29m9qr, m9qhl0, ddrljh,
9ckqgg, qxprwy, 2gggor,
kdtysz, eiohez, lajz38,
kfcxu6, 8w6scn, o4vt4q,
qz15wn, qbmj3q, f2yjtp,
ht8bdr, ido41b, 2lum80,
siy7sc, niilhm
Number of File Extensions Observed: 1000
Historical Statistics
High Entropy Data Write Percentage: 100
High Entropy Data Write Peak Rate (KB/Minute): 204812
File Create Peak Rate (per Minute): 50
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Surge Observed
Surge Timeline: -
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Newly Observed File Extensions: la9w7b, 0yelue, 439s6p,
65rsbk, m53m3f, fuw76q,
.
.
(omitted)
.
.
oxscjt, iwtsxu, lxmmph,
pbmp3v, 2wbb3i, 9zy7j3,
pdw5qg
Number of Newly Observed File Extensions: 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
.
.
(omitted)
.
.
1, 1, 1, 1, 1, 1, 1, 1, 1, 1
While the status hasn't changed to moderate, the extensions were detected. Also, no EMS events were triggered.
It seems that in reality, a significant amount of file changes would be needed for detection.
As the Last Line of Defense Against Ransomware
I tried ARP/AI on FSxN.
It's very useful as the last line of defense against ransomware. Since it doesn't actually prevent attacks, it would be used to improve resilience.
Basically, it's fine to enable it, but there are performance impacts to consider. Enable it after careful consideration.
ARP's performance overhead is minimal for most workloads. If your volumes have read-intensive workloads, NetApp recommends protecting no more than 150 volumes per file system. Exceeding this number may result in up to 4% lower IOPS for that workload. If your volumes have write-intensive workloads, NetApp recommends protecting no more than 60 volumes per file system. Otherwise, that workload may experience up to 10% lower IOPS.
Protecting your data with Autonomous Ransomware Protection - FSx for ONTAP
Please also refer to the following AWS official documentation. The content about ARP has become much more comprehensive than before.
I hope this article helps someone.
That's all from nonpi (@non____97) of the Consulting Department in the Cloud Business Division!