Hello Team,
I was thinking about Ransomware and that it becomes more intelligent every time, and we knows that now it can search for the most popular backup extensions and infect/encrypt/delete them.
So what if there is option for every environment the admin to be able to set custom extensions for Veeam's backups?
In Global settings menu or maybe at Repository level to set .vbk="ndbfbkp"; vrb="ndbibkp"; vib="ndbrbkp" and so on...
I don't know how hard is this to be implemented and is it worth. I am sure there are some issues that you have to think about but this is just an idea for one more thing that we can do to to challenge the bad guys:)
Regards,
Dimitar
-
dimitar.stoyanov
- Certified Trainer
- Posts: 23
- Liked: 2 times
- Joined: Jan 06, 2014 2:25 pm
- Full Name: Dimitar Stoyanov
- Contact:
-
soncscy
- Veteran
- Posts: 643
- Liked: 312 times
- Joined: Aug 04, 2019 2:57 pm
- Full Name: Harvey
- Contact:
Re: Feature Request: Custom extension for Ransomware protect
Heya Dimitar,
I have heard this idea a few times, but it's really not effective.
Modern ransomware attacks aren't one-off headless attacks; attackers get privileged access and "sit" in an environment for weeks, sometimes months. They map out the environment and figure out exactly what pressure points they need to hit in order to ensure that the ransom is paid. Remember, if there is __any__ outlet for the victim, the ransomware is ineffective.
The actual extension doesn't matter; it really doesn't. Just find the target folder, call it a day. Furthermore, anything that your service account for __any__ application can see, so can an attacker with a privileged account. Since the service accounts by definition must have some transparency for the files in order to know how do actually perform their normal activities, once a privileged account is overtaken, the attackers will have the same knowledge that the service accounts have.
It's a nice idea in theory, but it just is not how modern ransomware attacks work in most cases. When encrypting the first 10 kilobytes of a file is basically a free and easy operation on any modern CPU, it's very simple to just do it to __every non-system file__ on a given machine.
Think like an attacker; if I'm not sure if a file is vital or not, why waste time with risk? Just encrypt it and send the threat anyways -- encrypting too many files isn't a problem for me. Not encrypting enough is.
So it's a cute idea, but it's mostly security theatre.
Instead, invest in air-gapped backups. It's truly the only way to be sure. They cannot encrypt/delete what they cannot physically reach.
I have heard this idea a few times, but it's really not effective.
Modern ransomware attacks aren't one-off headless attacks; attackers get privileged access and "sit" in an environment for weeks, sometimes months. They map out the environment and figure out exactly what pressure points they need to hit in order to ensure that the ransom is paid. Remember, if there is __any__ outlet for the victim, the ransomware is ineffective.
The actual extension doesn't matter; it really doesn't. Just find the target folder, call it a day. Furthermore, anything that your service account for __any__ application can see, so can an attacker with a privileged account. Since the service accounts by definition must have some transparency for the files in order to know how do actually perform their normal activities, once a privileged account is overtaken, the attackers will have the same knowledge that the service accounts have.
It's a nice idea in theory, but it just is not how modern ransomware attacks work in most cases. When encrypting the first 10 kilobytes of a file is basically a free and easy operation on any modern CPU, it's very simple to just do it to __every non-system file__ on a given machine.
Think like an attacker; if I'm not sure if a file is vital or not, why waste time with risk? Just encrypt it and send the threat anyways -- encrypting too many files isn't a problem for me. Not encrypting enough is.
So it's a cute idea, but it's mostly security theatre.
Instead, invest in air-gapped backups. It's truly the only way to be sure. They cannot encrypt/delete what they cannot physically reach.
-
dimitar.stoyanov
- Certified Trainer
- Posts: 23
- Liked: 2 times
- Joined: Jan 06, 2014 2:25 pm
- Full Name: Dimitar Stoyanov
- Contact:
Re: Feature Request: Custom extension for Ransomware protect
Hi Harvey,
Thank you for your time and for your opinion. I agree with everything you said. Especially for air-gapped backups!
And Probably the attacker's thinking is as you describe - it is better to encrypt more then not enough.
I am thinking for this feature not as gamechanger but just as a small step. And for the most intelligent version of Ransomware only this will not be enough to protect the environment, but for some of them maybe will make it more difficult.
As it is for example MAC filter for network security. It can be overcome and you cannot rely only on this but it is part of the security features and in some cases it does a good job.
Also in the feature I believe we will have to deal with different threats and the more flexible we are, the better.
Cheers!
Thank you for your time and for your opinion. I agree with everything you said. Especially for air-gapped backups!
And Probably the attacker's thinking is as you describe - it is better to encrypt more then not enough.
I am thinking for this feature not as gamechanger but just as a small step. And for the most intelligent version of Ransomware only this will not be enough to protect the environment, but for some of them maybe will make it more difficult.
As it is for example MAC filter for network security. It can be overcome and you cannot rely only on this but it is part of the security features and in some cases it does a good job.
Also in the feature I believe we will have to deal with different threats and the more flexible we are, the better.
Cheers!
Who is online
Users browsing this forum: Bing [Bot] and 97 guests