Comprehensive data protection for all workloads
Post Reply
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Mass Recovery and forensics after virus.

Post by JLundgren »

Hello,

scenario:

a customer suffer from a network intrusion and the intruder has planted ransomware which impacts the whole environment.
A massrecovery of 200 vm has to be executed.

What would be the best path forward, if all of the vms need to be part of a forensic investigation and a laundry has to take place (cleanup of backdoors in AD, pw-reset etc) before setting the servers in production again ?

Regards,

JLundgren
Regards,

JLundgren
Dima P.
Product Manager
Posts: 14716
Liked: 1703 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Mass Recovery and forensics after virus.

Post by Dima P. »

Hello Johnny,

They could use Entire VM restore in conjunction with Secure Restore functionality. VM restore will operate based on repository the task slots availability, so you can start recovery for multiple vms at the same time. Secure restore will ensure that restore points are not affected by ransomware. Cheers!
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Re: Mass Recovery and forensics after virus.

Post by JLundgren »

Thanks Dima,

is Entire VM Restore designed and viable for the scenario I described ?
Or is it meant to be used with one or a couple of vm at a time at most ?

I mean, let´s say we plan to use the above approach with 100 vm at the same time and prepare the isolated environment for an external forensic company to do their magic.
Using Entire VM Restore, we have to run the wizard a hundred times.
Will it not be difficult to get an oveview and cumbersome when performing the forensic and GDPR related actions ?

Is it maybe better to use Instant VM Recovery which support bulk processing and multiple workloads ?
In the Instant VM Recovery-case we could have already prepared an isolated network (outside the VBR-scope) and perform the laundry there.

What has R&D to say about the Veeam approach ?
Do you have an example from real life you could share ?
Regards,

JLundgren
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Re: Mass Recovery and forensics after virus.

Post by JLundgren »

Hello Dima,

Any progress concerning my questions above ?

Thanks.
Regards,

JLundgren
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Mass Recovery and forensics after virus.

Post by Gostev »

I think v10 Data Integration API is a better way to go here, as it allows to automatically and instantly present the content of any restore point "for an external forensic company to do their magic".
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Re: Mass Recovery and forensics after virus.

Post by JLundgren »

Ok, thanks.

Could you elaborate based my scenario above ?
It is taken from real life but in collaboration with another backup-software vendor.
The forensic laundry process is performed by a company that specializes on these catastrophic events caused by ransomware.

I would like to present Veeam products as a solution and how your software would simplify massrecovery process.
Regards,

JLundgren
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Mass Recovery and forensics after virus.

Post by Gostev »

Probably the best explanation can be found directly in the What's New in v10 (page 3).
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Re: Mass Recovery and forensics after virus.

Post by JLundgren »

Using "Data Integration API", will the company repsonsible for the laundry of the customer AD domain and server-members, be able to do a point-in-time ransomware cleanup including removing backdoors, resetting passwords, i.e. secure the AD domain and servers environment 100%.
And after that perform a massrecovery using "Multi-VM Instant Recovery" back into production ?

Have I understood Veeams design of the process correctly then ?
Regards,

JLundgren
Gostev
Chief Product Officer
Posts: 31804
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Mass Recovery and forensics after virus.

Post by Gostev »

Using "Data Integration API", the company responsible for the laundry of the customer AD domain and server-members will be able to detect ransomware and decide if cleanup of the particular machine (or restore point) is even needed.

Actual cleanup including removing backdoors, resetting passwords, etc. requires using Staged Restore functionality of Veeam. The What's New in 9.5 is again a good source for the brief description of this feature (search for Staged Restore as it's quite long). Of course, this can also be automated with our PowerShell API.

"Multi-VM Instant Recovery" is for when cleanup is not required, for example following a hardware or a natural disaster.
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Re: Mass Recovery and forensics after virus.

Post by JLundgren »

Hello,

I would like to bring this theead to life again.
Regarding BP when having to perform a mass recovery of vm when production is hit by a ransomware.
Regards,

JLundgren
Dima P.
Product Manager
Posts: 14716
Liked: 1703 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Mass Recovery and forensics after virus.

Post by Dima P. »

Hello JLundgren,

Do you know the name of the ransomware that affected your production? Any chance you have the list of particular malicious extinctions or files that were detected during the attack? If yes you can use Scan Backup or Secure Restore in conjunction with YARA rule tailored to look for such extensions or files.
JLundgren
Service Provider
Posts: 329
Liked: 30 times
Joined: Nov 13, 2015 10:00 am
Full Name: Johnny Lundgren
Contact:

Re: Mass Recovery and forensics after virus.

Post by JLundgren » 1 person likes this post

Hello Dima,

Fortunately, we haven't suffered from a ransomware attack.

I just want check if Veeam has a BP in this particular scenario;

Performing massrecovery on vms after a hit.
Regards,

JLundgren
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 139 guests