Advanced Ransomware Protection - Now in Public Preview

Built-in detection and rapid recovery at the storage layer for Azure NetApp Files.

By Anthony Mashford
Posted on 22 December, 2025

Introduction

Ransomware isn’t just an endpoint problem anymore. Once attackers gain a foothold, they often go straight for the data plane—encrypting shares at speed, renaming extensions, and churning IO until you’re left with a very expensive brick.

Microsoft’s Azure NetApp Files Advanced Ransomware Protection (ARP) is a newly released capability (currently in preview) that adds storage-level, ransomware detection to Azure NetApp Files (ANF) volumes—plus automatic point-in-time snapshots to support fast recovery.

What ARP is (and why it’s different)

ARP is designed to help you detect, respond to, and recover from ransomware activity directly on Azure NetApp Files volumes. It doesn’t rely on agents inside VMs; instead, it observes volume behaviour and flags suspicious patterns.

A key point: ARP is available at no additional cost for Azure NetApp Files (preview feature registration required).

How ARP detects ransomware

ARP uses machine learning to build and refine a “normal” profile for each protected volume, based on three main signals:

  • File extension profiling (new/unusual extension patterns)
  • Data entropy patterns (a common side-effect of encryption)
  • I/OPS patterns (abnormal IO behaviour consistent with mass file changes)

When ARP detects a suspected threat, it creates a point-in-time snapshot so you have an immediate recovery option while you investigate. In ARM/SDK surfaces, ARP snapshots are referenced as being named Anti_ransomware_backup.

Considerations you need to know

Before you enable it everywhere, there are a few important constraints (from Microsoft’s configuration guidance):

  • Only for newly created volumes — ARP must be enabled at volume creation time.
  • Attack reports retained for 30 days.
  • Notifications are sent via the Azure Activity log.
  • Microsoft recommends enabling ARP on no more than five volumes per Azure region (to mitigate performance issues).
  • Plan for overhead: Microsoft recommends increasing QoS capacity by 5–10% due to possible performance impact.

Supported regions (including UK)

ARP preview is available in a long list of regions, including UK South and UK West (plus North Europe/West Europe and many more). Always validate your target region against the official supported list before planning rollout. You can view the supported regions using this link

Getting started: register the feature (preview requirement)

Because ARP is currently in preview, you must register the feature first. Below are some code snips for both PowerShell and Azure CLI that can be used to register and check the registration status of the ARP feature.

PowerShell

Register using PowerShell.

Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAntiRansomware

To check the status of the feature registration, run the command shown below.

Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAntiRansomware

Azure CLI

Register using Azure CLI

az feature register --namespace Microsoft.NetApp --name ANFAntiRansomware

To check the status of the feature registration, run the command shown below.

az feature show --namespace Microsoft.NetApp --name ANFAntiRansomware

Note: It can take up to 60 minutes for the feature to register.

Enabling ARP (volume creation time)

ARP is enabled during volume creation in the Azure portal:

  1. Create a new NFS, SMB, or dual-protocol ANF volume.
  2. On the Basics tab, set Advanced Ransomware Protection = Enabled.
  3. After creation, confirm on the volume overview that ARP shows as enabled.

Operations: what to do when ARP flags a threat

From the portal workflow:

  1. In the Azure NetApp Files experience, select Advanced Ransomware Protection (under Storage services).
  2. Review Active threats and expand a threat to see suspect files
  3. Classify the activity:
    1. Mark as False positive if it’s expected/benign.
    2. Mark as Threat if it looks malicious, then revert the volume using the snapshot captured before the threat (or another suitable snapshot).

Because notifications are raised in the Azure Activity log, you can route these into your existing ops and security tooling (alert rules, SIEM/SOAR, runbooks) without relying on someone spotting it in the portal.

Practical rollout advice (what I’d do first)

Even in preview, ARP is compelling—roll it out like a security feature and like a performance feature:

  • Start with the crown jewels: the handful of volumes that would hurt most if encrypted.
  • Use a “new volume” strategy: enable ARP on new builds and migrations first (since it only applies to newly created volumes today).
  • Bake in headroom: account for the suggested 5–10% QoS capacity uplift where you enable ARP.
  • Define your triage path: who reviews alerts, how quickly, and when you revert.
  • Test restores: snapshots are only useful if you’ve rehearsed recovery under pressure.

Summary

Storage is where ransomware becomes a business outage. ARP brings detection and recovery closer to the data, using behavioural signals (extensions, entropy, IOPS) and automatic snapshots, surfaced via the Activity log for operational response.

If you’re planning storage-driven migrations or modernisation on ANF, ARP is a strong “enable-by-default on new volumes” candidate—especially for workloads where minutes matter and recovery needs to be fast, predictable, and integrated into your normal ops flow.

For more information on the Azure NetApp Files service, check out the What’s new in Azure NetApp Files page.

Tags: Blog Azure Azure NetApp Files Backup Replication
Share: Twitter LinkedIn