New ransomware that targets backups. Are we susceptible?

Availability for the Always-On Enterprise

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby dellock6 » Wed Mar 02, 2016 11:08 am

he probably means getting away from having to manage tapes, and let AWS do the management. There are many speculations about what Glacier is using, but as in any cloud service, as long as SLAs are not broken, who cares?

PS: facebook is using blu-ray XL for example, there are some pretty neat technologies available when you reach those sizes...
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 5066
Liked: 1342 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

[MERGED] : Ransomware Prevention – READ ONLY backup files

Veeam Logoby Unison » Tue Mar 22, 2016 2:03 am

Hi all,
Wanted to check if this is something that others are doing as an added layer of protection for their ‘online’ veeam backup images….

Do you set the ‘READ ONLY’ permission on your veeam backup files (i.e. right click the folder holding the backup files and tick the ‘read only’ option at the bottom to propagate that to all the backup files within)?
And has anyone tested if this has any impact in stopping ransomware encrypting files – an isolated lab where you have set READ ONLY and then executed some ransomware under a privileged account to see if it gets around the ‘READ ONLY’ permission on the backup files?

We hold our veeam images off site in another location and rotate drives to keep them protected – as well as doing replication to a different host/storage…..but i wanted to see if setting the READ ONLY permission on the veeam backup files is worth doing and adds a road block for ransomware trying to encrypt backup files.
Unison
Enthusiast
 
Posts: 80
Liked: 16 times
Joined: Fri Feb 17, 2012 6:02 am
Full Name: Gav

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby v.Eremin » Tue Mar 22, 2016 8:59 am 1 person likes this post

You seem to have implemented already the best protection against ransomware - offsite copies stored on tapes (or sort of tapes in your case). Only such scenarios do guarantee that ransomware would not be able to access backup data anyhow. Thanks.
v.Eremin
Veeam Software
 
Posts: 13433
Liked: 987 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

[MERGED] : Rasonware. Backup repositories OFFLINE.

Veeam Logoby ebeltran » Mon Apr 11, 2016 8:48 am

Hello:

In our organization we are concerned about the proliferation of viruses Rasonware, Cryptoware, etc ..

We are concerned that the virus affects repositories Veeam Backup and spoil backups.

At the moment the only solution we are seeing as "definitive" is:
1. Make copies to a device and once the backup is complete put the device OFFLINE.
2. Having multiple devices and do a rotation.

Can anyone recommend brand and model suitable devices to "Media Rotation" and put OFFLINE ?.

Can anyone comment on its strategy to prevent the Rasonware affect repositories Veeam Backup ?.

Thank you very much.
A greeting.
ebeltran
Novice
 
Posts: 5
Liked: never
Joined: Sat Jan 04, 2014 9:03 pm

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby v.Eremin » Mon Apr 11, 2016 11:27 am 1 person likes this post

You seem to have followed the general ransomware protection concepts quite well in the described scenario. If possible, we'd recommend usage of tapes (as pure read-only target).

Other considerations are provided above; might be worth reviewing.

Thanks.
v.Eremin
Veeam Software
 
Posts: 13433
Liked: 987 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby PTide » Tue Apr 12, 2016 11:02 am

Can anyone recommend brand and model suitable devices to "Media Rotation" and put OFFLINE ?.
If you don't want to use tapes you can stick with an RDX storage. Please review this thread for more info on compatibility.

Thank you.
PTide
Veeam Software
 
Posts: 3079
Liked: 252 times
Joined: Tue May 19, 2015 1:46 pm

[MERGED] Veeam server best practice to prevent Cryptolocker

Veeam Logoby albertwt » Mon Jul 18, 2016 12:46 pm

People,

Does anyone here can share some comments and suggestion that can be used to harden the security of Veeam Backup server, Veeam Repository server and Veeam Proxy server against Cryptolocker :?:

So far in all of my servers I have installed antivirus and not sure what else can I implement to protect against Cryptolocker.

Any help would be greatly appreciated.

Thanks,
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Expert
 
Posts: 609
Liked: 19 times
Joined: Thu Nov 05, 2009 12:24 pm
Location: Sydney, NSW

Re: Veeam server best practice to prevent Cryptolocker ?

Veeam Logoby mkretzer » Mon Jul 18, 2016 1:27 pm 1 person likes this post

I wonder the same thing. Especially, can we disable file and printer sharing at least on the central Veeam node? As far as i know Veeam uses that service...
mkretzer
Expert
 
Posts: 330
Liked: 74 times
Joined: Thu Dec 17, 2015 7:17 am

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby v.Eremin » Mon Jul 18, 2016 1:36 pm

Your post has been merged into existing discussion.

General protection concepts have been provided above.

Thanks.
v.Eremin
Veeam Software
 
Posts: 13433
Liked: 987 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby meggerz » Thu Aug 25, 2016 7:27 pm

1. Any separate storage device that is not directly write-accessible from compromised servers by industry-standard protocols (SMB, NFS) is "good enough" protection from CryptoLocker. But the storage device should use its own set of credentials (not from local directory, and not local accounts of the storage device).


I know this post is a bit dead but hoping to revive it and get some comments on what this actually means :) It's from post #2 from Gustavo. I don't have my NAS joined to my domain, so why would one "not use local accounts of the storage device"? I have them configured as Veeam credentials for the SMB share I am using as a repository target for backup jobs.

Seems to me my options for authenticating are:
1 - Use local accounts (which I'm doing)
2 - Join my NAS to my AD domain (no thanks!!)
or 3 - Setup a separate LDAP server to authenticate my NAS only
meggerz
Lurker
 
Posts: 1
Liked: never
Joined: Thu Aug 25, 2016 7:10 pm
Full Name: Megan Gee

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby slos » Sun Aug 28, 2016 1:12 am

He’s attempting to describe an ‘Air Gap’ that Cryptolocker cannot cross. In my experience to date Crypto has the ability only to attack Lettered Drives [Local Disc, Mapped Drive]; a UNC pathed-shared-folder-SMB-Repository would hypothetically be immune to crypto as it is un reachable. As UNC paths can be mapped as a lettered drive [making the files reachable] the second half of the statement is to say that security permissions on the share be provided by a source outside of the local directory a local account perhaps. This is noted as Crypto utilizes the AD/local Credentials of the infected user to read from the drives, write the newly encrypted file, and/or other actions as programmed.

‘Good Enough’ is subjective; although Gostev’s statement to use tape is valid. As I would like to shake the hand of the Crypto Developer who is able to encrypt Read Only tape stored in a safe deposit box a few miles from my production facility.
VMCE, MCSE
slos
Influencer
 
Posts: 14
Liked: never
Joined: Tue Jan 21, 2014 3:53 am
Full Name: Steven Los

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby zoltank » Thu Jan 05, 2017 2:09 pm

What about removing all permissions to the repository expect for the Veeam account?
zoltank
Expert
 
Posts: 210
Liked: 29 times
Joined: Fri Feb 18, 2011 5:01 pm

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby WRS2200 » Tue Jan 24, 2017 8:08 pm

Thanks for the great information! This will help us make sure our clients are protected against this type of threat.
WRS2200
Enthusiast
 
Posts: 28
Liked: 3 times
Joined: Thu Aug 06, 2015 8:21 pm
Full Name: Weston Strom

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby MOBO » Wed Jan 25, 2017 5:56 am

what is the general thought about configuring FSRM File Screen Manager on the repostitory server to stop ransomware?
i am running all windows server so i have been think about just setup FSRM to only allow VBK,VIB,VRB and VBM on data drive
MOBO
Influencer
 
Posts: 12
Liked: 2 times
Joined: Sat Jan 24, 2015 7:26 am
Full Name: Morten Boegeskov

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby Delo123 » Mon Feb 13, 2017 8:46 am

Hi Mobo,

This should work on non dedup volumes. Be sure to set to warn first before you really deny access and monitor for a while.
I was thinking Veeam could also keep locking backup files to make sure no other tool can modify the files, but maybe that goes a bit too far...
Delo123
Expert
 
Posts: 351
Liked: 101 times
Joined: Fri Dec 28, 2012 5:20 pm
Full Name: Guido Meijers

PreviousNext

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 14 guests