ONTAP 9 Manuals ( CA08871-402 )

Restore data after a ransomware attack

Autonomous Ransomware Protection (ARP) creates Snapshot copies named Anti_ransomware_backup when it detects a potential ransomware threat. You can use one of these ARP Snapshot copies or another Snapshot copy of your volume to restore data.

About this task

To restore from a Snapshot other than the Anti_ransomware_backup Snapshot after a system attack was identified, you must first release the ARP Snapshot.

If no system attack was reported, you must first restore from the Anti_ransomware_backup Snapshot copy then complete a subsequent restoration of the volume from the Snapshot copy of your choosing.

Steps

You can use ONTAP System Manager or the ONTAP CLI to restore your data.

ONTAP System Manager
Restore after a system attack
  1. To restore from the ARP Snapshot, skip to step two. To restore from an earlier Snapshot copy, you must first release the lock on the ARP Snapshot.

    1. Select Storage > Volumes.

    2. Select Security then View Suspected File Types

    3. Mark the files as one of the following.

      • false positive

      • potential ransomware attacks

    4. Select Update and Clear Suspect File Types

  2. Display the Snapshot copies in volumes:

    Select Storage > Volumes, then select the volume and Snapshot Copies.

  3. Select Menu Option next to the Snapshot copy you want to restore then Restore.

Restore if a system attack was not identified
  1. Display the Snapshot copies in volumes:

    Select Storage > Volumes, then select the volume and Snapshot Copies.

  2. Select Menu Option them choose the Anti_ransomware_backup Snapshot.

  3. Select Restore.

  4. Return to the Snapshot Copies menu, then choose the Snapshot copy you want to use. Select Restore.

CLI
Restore after a system attack
  1. To restore from the ARP Snapshot copy, skip to step two. To restore data from earlier Snapshot copies, you must release the lock on the ARP Snapshot.

    It is only necessary to release the anti-ransomware Snaplock before restoring from earlier Snapshot copies if you are using the volume snap restore command as outlined below. If you are restoring data using Flex Clone, Single File Snap Restore or other methods, this is not necessary.

    Use the following command to mark the attack as "false positive" and "potential ransomware attack". Set to "false" for "false positive" or "true" for "possible ransomware attack."
    anti-ransomware volume attack clear-suspect -vserver svm_name -volume vol_name [extension identifiers] -false-positive [true/false]

    Use one of the following parameters to identify the extensions:
    [-seq-no integer] Sequence number of the file in the suspect list.
    [-extension text, … ] File extensions
    [-start-time date_time -end-time date_time] Starting and ending times for the range of files to be cleared, in the form "MM/DD/YYYY HH:MM:SS".

  2. List the Snapshot copies in a volume:

    volume snapshot show -vserver SVM -volume volume

    The following example shows the Snapshot copies in vol1:

    clus1::> volume snapshot show -vserver vs1 -volume vol1
    
    Vserver Volume Snapshot                State    Size  Total% Used%
    ------- ------ ---------- ----------- ------   -----  ------ -----
    vs1	 vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%
                   daily.2013-01-25_0010   valid   92KB      0%    0%
                   hourly.2013-01-25_0105  valid   228KB     0%    0%
                   hourly.2013-01-25_0205  valid   236KB     0%    0%
                   hourly.2013-01-25_0305  valid   244KB     0%    0%
                   hourly.2013-01-25_0405  valid   244KB     0%    0%
                   hourly.2013-01-25_0505  valid   244KB     0%    0%
    
    7 entries were displayed.
  3. Restore the contents of a volume from a Snapshot copy:

    volume snapshot restore -vserver SVM -volume volume -snapshot snapshot

    The following example restores the contents of vol1:

    cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010
Restore if a system attack was not identified
  1. List the Snapshot copies in a volume:

    volume snapshot show -vserver SVM -volume volume

    The following example shows the Snapshot copies in vol1:

    clus1::> volume snapshot show -vserver vs1 -volume vol1
    
    Vserver Volume Snapshot                State    Size  Total% Used%
    ------- ------ ---------- ----------- ------   -----  ------ -----
    vs1	 vol1   hourly.2013-01-25_0005  valid   224KB     0%    0%
                   daily.2013-01-25_0010   valid   92KB      0%    0%
                   hourly.2013-01-25_0105  valid   228KB     0%    0%
                   hourly.2013-01-25_0205  valid   236KB     0%    0%
                   hourly.2013-01-25_0305  valid   244KB     0%    0%
                   hourly.2013-01-25_0405  valid   244KB     0%    0%
                   hourly.2013-01-25_0505  valid   244KB     0%    0%
    
    7 entries were displayed.
  2. Restore the contents of a volume from a Snapshot copy:

    volume snapshot restore -vserver SVM -volume volume -snapshot snapshot

    The following example restores the contents of vol1:

    cluster1::> volume snapshot restore -vserver vs0 -volume vol1 -snapshot daily.2013-01-25_0010
  3. Repeat steps 1 and 2 to restore the volume using the desire Snapshot copy.

Top of Page