4300 Potential ransomware detected

Explanation
Ransomware detection indicates the nature of data written to a
volume or volumes has changed. This might be the result of a change to the way applications are
storing data, or it might indicate a volume is being subjected to a ransomware
attack.

User response
Contact the host and application owners that write data to the volume, or volumes in the volume
group, indicated. Determine whether the change in nature is due to a known change, or whether the
change is unexpected. If the change in nature is unexpected, take steps to mitigate data loss for
these volumes.

If a malware attack is identified, take steps to mitigate damage to the volumes and other volumes
that might be accessible by infected hosts. Then, identify suitable backups from which to restore
affected volumes.

If this error is logged for a volume group, review snapshots of the
volume group. Each snapshot has an anomaly status. If the volume group needs to be rapidly recovered
from the effects of ransomware, restore the most recent snapshot with an anomaly status of
"retention extended". For more information, see lsvolumegroupsnapshot.