Yes, Ransomware can delete your Veeam backups.

[mkaec]

...
In this case Data mover is running on linux repository, and backup files are not visible to Windows world
...

I imagine an attacker could still use the Veeam UI to delete the files.

The best non-airgapped solution I've heard of is a cloud provider that will not honor delete requests unless the files are of a certain age.

[billcouper]

@mkaec "Backup file deletion prevention" is a feature Veeam Cloud Connect supports

[SimonS]

...

I imagine an attacker could still use the Veeam UI to delete the files.

If you have access to Veeam UI you can do anything .

But, we are taking about Ransomware and deleting/encrypting backup files. in this case, you must prevent easy acces to this files.To do that, is the best way using devices with no directy access (CIFS/NFS/local file system), but external boxes, Linux (SSH, Data mover), ExaGrid (Data mover), DataDomain (DDbost) and HPE StorOnce (Catalyst). Linux is cheapest solution.
DataDomain have feature Retention Lock, which prevent deleting/changing files until expiration period. Retention Lock work only wtih NFS/CIFS not with DDbost.

The best way to prevent delete your backups and have it localy is still old fashioned tape libraries .

[CloudMSP]

We have a local BDR server onsite running Windows Server, it's the B&R server, if we keep this off the domain, and have unique passwords, and AV. Will this protect it from getting crypto for the most part? Login to the BDR is only from Screen Connect and not from the customer LAN or servers.

[Gostev]

We have a local BDR server onsite running Windows Server, it's the B&R server, if we keep this off the domain, and have unique passwords, and AV. Will this protect it from getting crypto for the most part? Login to the BDR is only from Screen Connect and not from the customer LAN or servers.

Not fully, because your backups are online. Passwords can be obtained by hackers via keyloggers, sniffers, social engineering etc. Also, what some of your co-workers may get upset and sicks ransomware there (or just deletes all backups)... you'd be surprised how often this happens.

Secure design is definitely adds a good level of protection, but only offline backups in a fireproof safe can give you 100% assurance.

[Niksavoy]

I want to share the situation I encountered yesterday with my client.
Recently, the VBR solution was transformed with this client as a backup server on physical machine with 2012 R2 with local drives and running VBR server, Backup proxy and Repository functions, as well as several virtual Backup proxies.
Also has not yet been expanded and finished.
I was saying IT WAS because yesterday the customer found that five days ago it was completely encrypted, including backup files.
It was hit by CMB Dharma Ransomware, Cryptovirus
Unfortunately, still did not have backup-copy or replication for objective reasons.

Luckily, no other machine from the production was affected
Or to say for now ?

I use Veeam from v 7 now I understand that my approach obviously needs to change and obviously Backups, backup-copys, DR Replications, DR Backup-Copy in multiple places seems to be vulnerable to similar attacks.
As I read the previous few pages, I thought of the following solution to the problem - i want to share you opinion :

A QNAP QSync application is installed on the Windows Server Backup Repository pointing to the folder containing Backups-Copy from Veeam BR
in this way in real-time folders are synchronized with the QNAP storage where Volume-Snapshots are activated for a period of 30 days, for example
On QNAP we have enabled the Network Recycle Bin-a so deleted files are not deleted from QNAP - only admin can do so but not the Account for QSYNC

How do I imagine it?
QNAP NAS connection credentials remain hidden in the QSYNC application - it connects through HTTPS port 443 to QNAP-a (LAN or WAN for off-site )
There is no link in Veeam for this resource at all also aint in windows it self.
Even if you get encryption QNAP Volume snapshots can restore the entire Volume with a mouse keyboard and monitor to QNAP itself - if you have ecncrypted file restore -1 step .....
When deleted, the files will also remain on QNAP just for admin usage
QNAP NAS also supports RSync to other QNAP NAS - even Volume Replication - can be expanded as a configuration


Is it interesting to share your opinion on such a solution for any hidden obsticles i have missing ?

Kind Regards
Niksavoy

[stlspartan]

I know this thread is old.

We use QNAP NAS devices for near-line backup and backup copy archives at out DR location. When we learned of the risk of malware deleting backups we were reluctant to usek tape, since we had worked hard to eliminate it. Our solution was to restrict access to the backup shares to a single account used only by Veeam and, more importantly, we installed QNAP models that support snapshot volumes. The snapshot management is only through the admin account on the QNAP. We keep 7 daily snapshots on all the Veeam volumes. By doing this, should a person or malware manage to gain access to the Veeam repository shares and delete the files, they can be recovered from the snapshots. The existence of snapshots is invisible through the SMB interface used by Veeam.

[Blue407]

Morning All

I'm looking for advice and best practice on ways to secure our Backup server. Its Windows based and on the Domain, it has a 2nd network card which connects to additional storage on Synology NAS's. No other machines on the network have physical access to this network.
The backup server has local storage with backups on it as well as on the Synology, plus we backup to tape nightly. This server is on the network and we currently administer it via RDP, rather than using a B&R console on another PC.

Obvious concerns are things like Ransomeware etc.

[wishr]

Hi Paul,

I'm merging your topic to an existing discussion - please take a look and let us know if you have any additional questions.

Thanks

[Blue407]

@Wishr
I'm not looking at recovery and backup options for the B&R server, I'm looking at hardening it and best practice to protect it.
So things like disabling internet access, removing non-required Domain accounts access etc Stuff like that.

[wishr]

Hi Paul,

I apologize, corrected it.

Here is an official whitepaper with additional materials at the bottom of it.

I'd suggest looking at those also: 1, 2, 3, 4.

Thanks