Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked

[esa.riikonen]

Hi,
I have worked with environment were hackers encrypted customers servers with Windows build-in bitlocker and hide key
VM Backups taken as VmWare level: So all backup data also encrypted.

Looks this is quite rising hacking method

I just tested how Veeam 12.1.1 detect about Bitlocker encrypted VM:
1. Full backup and several increment took from test vm.
-> last increment shows about 800MB read
2. Enable Bitlocker and wait full disk encrypted
3. New incremental backup
-> Veeam shows now full 90GB boot disk read

No any warning about disk changed to encrypted volue/Disk
Also next mail about Malware Detection report shows 0
Veeam ENT+ used

I opened a support case and got an answer:

BitLocker is a legitimate encryption tool developed by Microsoft to protect data stored on Windows computers. It's intended to enhance security by encrypting entire disk volumes, preventing unauthorized access to data in case the device falls into the wrong hands. It's a proactive security measure rather than a malicious attack like ransomware. Thus, it's expected that Veeam does not identify it as ransomware.

From customer side, they sees disks as unawailable enrypted disks, no matter how they are encrypted !!!!

[Gostev]

Hi, this is currently by design.

Our inline encryption detection feature is specifically designed to detect malicious encryption by malware. The proprietary ML model this feature uses is specifically trained on different types of malware-produced encryption.

Further, many of of our customers use Bitlocker encryption heavily on production machines. At Veeam, Bitlocker is the requirement for ALL machines. Flagging Bitlocker encryption in VBR would mean flagging every backup of every machine every time.

Thanks

[esa.riikonen]

1. Using bitlocker is not very common.
-> It do not protect agaist ramsonware
-> It makes unable to restore individual files most cases
-> It makes Backup data much bigger
2. Bitlocker is very efficience tool for todays hackers espesially if ramsonware detecting software (Veeam) do not detect this as data mess attackt
-> there are several ways to enable bitlocker Powershell, AD-group policy etc, no need get special software injected to server environment.
-> hackers can enable bitloker and actually lock the filesystem after several moth to verify all backupdata is also encrypted.

Veeam bring new feature to compare changes about backdata to detect possible encryption attack
If someone (known or unknown) enabled Bitlocker on server, would it be at least nice to get a note: "looks new backup data have all changed compared previous backup. Is this expected ?"

It is not a big deal to create a buttom: "detect all kind enclryption chages": enable/disable

If you google about "hacker uses windows bitlocker" you will get several examples....
Repeating myself: Personally I have see environment destroyed with MS Bitlocker, ½ year backups also......

[Gostev]

Thank you for your feedback.

[mikeely]

Perhaps a simpler suggestion: similar to "VM abc.def is no longer in this backup" you could perhaps add a similar message for a similar period of time saying "VM ghi.jkl has enabled Bitlocker encryption"

[SnakeSK]

Veeam definetly is able to detect FVE maps in system volume information, this should really generate a warning and error in VOne, as it could be used maliciously