Malware detection, Ransomware Notice found

[d.artzen]

Hello together,

after we enabled the malware detection on our most important backups, we got several suspicious activities on some servers reported. Most of them we could identify as false positives, since these were simply files that use the same extensions as some malwares do. I defined exceptions for these files.
But on one of our servers it says "ransomware note". Now, the server is not encrypted, a virus scan did not show any infection and I don't see any kind of ransomware note on it. Sadly the VBR console does not show more details than this info, and the server is not shown in the VBR log file for the suspicious files, where I found all the others.
Can anyone tell me where I can possibly find more information on my system?

Thank you for your help
Best regards
Daniel

[HannesK]

Hello,
"ransomware note" found means that there is a text file somewhere on the machine that matches a ransomware note. It does not mean that there is any malware or encrypted data. The "ransomware notes" are found by the "inline scan" and not by the "in-guest index scan" (which was for the file name extension).

My understanding is, that C:\ProgramData\Veeam\Backup\Malware_Detection_Logs don't show anything. Did support already check the logs on how to find the file (a support case number would help to get an answer faster)?

Best regards,
Hannes

[d.artzen]

Hello Hannes,

under C:\ProgramData\Veeam\Backup\Malware_Detection_Logs I can only see the "suspicious files" logs for each day it found something and in these this server is not reported, which makes sense the way you explained it. I have not opened a case yet, I thought that there should be a log or better yet an information in the VBR console where the scan found this. Shouldn't this log location be documented somewhere? I don't think it's feasible to open a case just to locate this information.

Best regards
Daniel

[Dima P.]

Hello Daniel,

after we enabled the malware detection on our most important backups, we got several suspicious activities on some servers reported. Most of them we could identify as false positives, since these were simply files that use the same extensions as some malwares do. I defined exceptions for these files.

Can you please share the extensions that generated false-positive reports?

But on one of our servers it says "ransomware note". Now, the server is not encrypted, a virus scan did not show any infection and I don't see any kind of ransomware note on it. Sadly the VBR console does not show more details than this info, and the server is not shown in the VBR log file for the suspicious files, where I found all the others. Can anyone tell me where I can possibly find more information on my system?

Can you please share the details from the Malware detection event? Thank you in advance!

[d.artzen]

Hello Dima,

1. the extensions that were reported in our systems were: .cnc, .mal, .fun, .rose, .bip, .mvp, .delta, .fox, .ev and .bi. These files were found on our fileserver, on our CRM and on our software distribution system as either files that are generated by our applications or are part of the installations.
2. The details are a bit sparse to be honest. It just says "Detection source: Ransomware notice" and under Details it just says: "Potential malware activity detected".

Best regards
Daniel

[Dima P.]

Hello Daniel,

Thank you for the details, passed that to the Malware Detection team for a review. Regarding the malware note - indeed the exact location is currently not logged, we will note an improvement request. Thank you for your feedback!

[rogelio72]

Hello everyone, I got exactly the same alert. Has anyone got any update? I'd like to identify the file that is triggering the alert to see if it's a false positive.
Thanks!

[Dima P.]

Hello folks,

We plan to fine tune the reporting in this feature and provide a direct link to the logs where all the files in the questions are listed. Meanwhile you can review the logs for malware detection based on index scan in this location: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\

You can potentially use Scan backup with YARA rule aimed at searching onion links, this could help you to find the location of files which contains onion links (which is the case with ransomware notes).

Thank you!

[amtiskaw]

Hi Dima

I have the same issue. I don't see the C:\ProgramData\Veeam\Backup\Malware_Detection_Logs folder on either the VM or the Veeam server. Is there anywhere else it could be logging?

[Dima P.]

Hello amtiskaw,

Can you please share the text of the malware detection event? Screenshot will also work. Thank you!

[anthonymel82]

So, the use of a YARA scan to search the "Ransom Note" is locked behind a certain edition of Veeam? I get an error message when trying to scan a backup, mentioning it's not available in your Veeam Data Platform edition.

You need to include the file paths in these types of inline scans. I mean if it can produce an alert for the "Ransome Note", log its location.

[Dima P.]

Hello Anthony,

the use of a YARA scan to search the "Ransom Note" is locked behind a certain edition of Veeam? I get an error message when trying to scan a backup, mentioning it's not available in your Veeam Data Platform edition.

Yes, in order to use Yara engine you should have a Veeam Data Platform - Advanced edition of the license.

You need to include the file paths in these types of inline scans. I mean if it can produce an alert for the "Ransome Note", log its location.

Right now it's not possible to detect the actual location of the ransomware note because the analysis happens on the block level while the data is in transit, we are researching the possibility to provide this information in the upcoming versions. Thank you!

[sdv]

@Dima P.
According to Veeam's manual, Enterprise Plus edition should also be supporting full malware detection thus using YARA scans: https://helpcenter.veeam.com/docs/backu ... ml?ver=120

We have Enterprise Plus (VUL) and receive the same error message: "it's not available in your Veeam Data Platform edition."
Opened a case for this: 07056988

Perhaps there is a difference in Socketor VUL licenses (not mentioned in that specific guide part). Which makes it confusing.
https://www.veeam.com/veeam_data_platfo ... son_ds.pdf

[Dima P.]

Hello Stefan,

Enterprise Plus edition should also be supporting full malware detection thus using YARA scans: https://helpcenter.veeam.com/docs/backu ... ml?ver=120

That is inaccurate statement. Inline scan, index scan, Incident API, SureBackup Lite / SureBackup and Secure Restore with AV scan are available in ENT+ while Yara scan requires a higher licensing tier. I've asked technical writes team to correct this statement to avoid further confusion. Thank you!

[Gostev]

As an Analytics feature, YARA scan is only available in Veeam Data Platform Advanced Edition.
Or Veeam Essentials, which is basically Advanced edition limited to 50 licenses max.

Here's the official edition comparison (short version on a page and full version in the PDF).

[amtiskaw]

Hello amtiskaw,

Can you please share the text of the malware detection event? Screenshot will also work. Thank you!

Hi Dima
Apologies for the late reply. I've been on holiday.

[Gostev]

This event must be from the inline scan. "Ransomware note" detection source means that a known ransomware note text or an onion link was detected in one of the processed disk blocks. Please see here for more info > Inline Scan

@Dima P. could you ask Dev/QA what method or command is best used to search the content of all files on a production machine for ransomware text, as well as what specific text should be searched for? For example, I assume that the Search functionality of Windows Explorer should do the job?

[Dima P.]

This event is fired whenever we detect either Clop-alike ransomware text or whenever we detect an onion link in the text files. Big chances this event was raised by the onion link, so I suggest looking for the text .onion

How to search for such text:

1. You may use Yara scan to look for the onion links pattern.

2. You can use a built-in tool like FINDSTR to search for a text within a specific file type. The usage is quite simple:
- Run cmd as admin
- CD to the desired volume

Code: Select all

cd C:\

- Start FINDSTR to look across all *.txt files for onion text, and thanks to /S switch that includes all the subfolders.

Code: Select all

FINDSTR /S /C:".onion" *.txt

[dali@iae.nl]

I have the same issue. I don't see the C:\ProgramData\Veeam\Backup\Malware_Detection_Logs folder on either the VM or the Veeam server. Is there anywhere else it could be logging?

I also cannot find the Malware_Detection_Logs.
Is it on the backup server, proxy or other and when will it be created. Have several Malware and Encrypted data but cannot find any logs of it.

[Dima P.]

Hello Da Li,

Logs with file locations are available only for events based on guest file indexing analysis. It's not possible to detect what exact files are affected because inline detection is performed on a block level while disk image data is in transit.

If you got a malware detection event caused by ransomware note, onion links or encrypted data you can mount the backup in the question and investigate it's content (i.e. scan with AV, YARA rule or even with some basic cmd utilities). Thank you!

[stewsie]

You may use Yara scan to look for the onion links pattern

Does anyone have a YARA rule created to look for this?

Thanks

[Gostev]

Just Google "yara rule for onion links", first result.

[Dima P.]

Hello Paul,

Here's a sample YARA rule to look for onion links. You can use it with SureBackup or with ScanBackup to test the restore point that raised 'Ransomware note' event.

1. Create a yar file format, for example: OnionLinks.yar
2. Save the code below inside the file
3. Place it to C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules location at your B&R server
4. The rule should be visible in the YARA scan UI and you can use it within Secure Restore, SureBackup and ScanBackup

Code: Select all

rule OnionLinks
{
    meta:
        description = "Onion link"

    strings:
        $onion_link = /\b([a-z2-7]{56}.onion)\b/i

    condition:
        $onion_link
}

[dali@iae.nl]

OK, set the file indexing on and now can find the C:\ProgramData\Veeam\Backup\Malware_Detection_Logs on the VBR with in it the file locations of the suspicous files. Great.
With that information I go to the server and do a powershell "get-filehash <filename>" which give the hash of the file. And search this hash on https://www.virustotal.com/gui/home/search to see if it is really or false positive.

But if encrypted files found this is not in the logs.
Tried to find the encrypted file on the effected VM with the command "cipher /u /n" but nothing found.
Other options how to find the encrypted files which Veeam alerts?

[stewsie]

For a couple of jobs with indexing turned on I cannot find C:\ProgramData\Veeam\Backup\Malware_Detection_Logs on the VBR server

We changed our log file location years ago and in that location is Malware_Detection_Logs but it is empty

[Dima P.]

Da Li, will discuss with RnD team if there is a good way to find the encrypted file locations with external tools stay tuned.

Paul, please raise a support case and share your case ID, meanwhile I'll ask QA team to take a look at this issue. Thank you in advance!

[stewsie]

Also I am completely confused and maybe if anyone from Veeam wants to step in that would be great

I raised a support call to investigate this Ransomware note finding and the job also has indexing enabled. When Malware is detected n the same report it states

24/01/2024 22:18:08 Succeeded [24/01/2024 22:06:00] Guest file system index has been analyzed: No suspicious file system activity or known malware files detected

Why is this happening? I have been told multiple times that SuspiciousFiles.xml contains the reason for the backup being marked as having Malware. To me this file is just a list of files that Veeam checks for. I can find no mention of any server name that has been reported as having Malware

The Veeam documentation regarding this file states

Download the latest SuspiciousFiles.xml using a machine with internet access.
Transfer the file to the Veeam Backup Server.
Replace the existing SuspiciousFiles.xml found in:
C:\Program Files\Veeam\Backup and Replication\Backup\
Restart the Veeam Data Analyzer Service.

So to me this file has no relevance at all to this investigation or am I just very confused?

Support call is 07104719

[Dima P.]

Paul,

Thank you for the case ID!

I raised a support call to investigate this Ransomware note finding and the job also has indexing enabled. When Malware is detected n the same report it states

'Ransomware note' event is created by inline scan engine while guest file indexing analysis is different engine. With guest file indexing analysis you can pinpoint the exact location of the suspicious file because we analyze the file index where we have the list of file names and extensions.

Inline scan analyzes binary data in flight while it's being transferred via backup proxy, so it's not possible to say the exact location of the onion link, ransomware note or encrypted data easily and post detection analysis of the file system is required. You can scan the machine with AV or search for onion links with the workarounds provided in this thread too (YARA or command line utilities can help).

Inline scan and guest file indexing analysis are independent checks and raise their own malware events. The dedicated chapter is here, please take a look for more details.

I have been told multiple times that SuspiciousFiles.xml contains the reason for the backup being marked as having Malware. To me this file is just a list of files that Veeam checks for. I can find no mention of any server name that has been reported as having Malware

SuspiciousFiles.xml contains the list of files and extensions that we look for during the guest file indexing analysis it has no effect on Inline scan engine. Thank you!

[stewsie]

SuspiciousFiles.xml contains the list of files and extensions that we look for during the guest file indexing analysis it has no effect on Inline scan engine. Thank you!

And this is exactly my point and what I was trying to get the engineer to understand

My response to the engineer's response at the bottom

To my untrained eye this file just contains a list of what looks like files to look for and is updated by Veeam. I can find no mention of any servers where Malware has been reported

Yes, the file will contain information regarding what files were identified as malware and where they are.

This file was driving me crazy. I was sure I understood the purpose

Managing List of Suspicious Files and Extensions
To keep the list of suspicious files and extensions up-to-date, select the Update malware definitions automatically check box. If the option is enabled, Veeam Backup & Replication will communicate with the Veeam Update Server (vbr.butler.veeam.com) daily and download the latest version of the SuspiciousFiles.xml file. The Veeam Data Analyzer service checks the file for updates once a day at 12:00 AM.

Anyway we appear to have moved on, finally. We are unsure at the moment the value of enabling the Inline scan and will review the use of it

Thanks

[stewsie]

Also how can YARA rules be used to scan Linux VM backups? The Scan option is only available for Windows VM backups