Backups, Encryption, and Ransomware

[bhagen]

Once again we're hearing about hackers encrypting local hard drives AND backup files. Is there a Veeam best practices regarding how to protect backup files from getting hacked (in all ways, including ransomware)? I mean, of course there is a best practice out there...but my search skills have fallen short. Thanks!

[Gostev]

The best practice is to have an "air-gapped" (offline) copy of your backups. These can be on tape or rotated hard drives, for example.

[bhagen]

Hmm...well, we have too much data to backup to tape every night.

So is the other solution to shut down the repository where our backup copy jobs reside? And then power it up when it's time to run those jobs?

What about encryption: if we encrypt our backup copy jobs (and GFS archives), and they be re-encrypted by ransomware?

[veremin]

This topic has been discussed several times on these forumes, so, kindly, check threads talking about ransomware, air-gapped backup and specific solutions.

I'm not sure about your second question, thoughб - backup file encryption does not prevent ransomware from encrypting files again.

Thanks!

[Gostev]

Indeed, there are tons of existing topics with creative solutions. For example, I remember someone putting their router used to connect backup target on a smart power switch, and powering it on only when necessarily.

However, it is important to realized that none of those solutions are bulletproof. Ransomware will often let hacker into the environment as well, and a smart hacker will carefully study what you're doing with your backups before executing the attack. I mean, it's trivial to open Veeam UI and review all backup targets, look at the job schedule and figure out when the backup target will go online.

So if you need a bullet proof solution to protect your on-prem backup files, then you really want "air-gapped" (offline) copy of your backups. Everything else is half-measures.

And if you want something fully automated, then you could also consider making copies of your backups to S3 object storage that supports immutability (v10 feature). However, this will obviously require additional investments to acquiring such storage.

[soncscy]

Hey bhagen,

Software solutions will never protect you from ransomware.

You need to physically separate the backups somehow. I've had many clients running software "ransomware prevention" which more or less just is a whitelist for accounts/processes to access the backups, and the attackers just added their compromised account to the list/processes, or just turned the service off after doing some System elevation trick.

For your question on encryption, the ransomware can just encrypt right on top of the already encrypted files. Plus, if they get access, they prolly get access to Veeam also, so they can just delete from Veeam which won't care about its own encryption.

I would revisit tape now that you can actually get LTO8 tapes -- 360 MB/s is pretty darn fast to move data.

But, just disconnecting your repo physically is also a fine solution. I've seen it discussed here -- not really found a foolproof way of automating this, but I seem to recall some switches or something where you literally just press a button and the network is disconnected.

Check out the hardening guide on veeambp.com (it's pretty handy if you read it and follow the instructions), and find a way to air gap your backups. True air gap, no short cuts