New ransomware that targets backups. Are we susceptible?

Availability for the Always-On Enterprise

New ransomware that targets backups. Are we susceptible?

Veeam Logoby kjstech » Tue Feb 23, 2016 2:54 pm 1 person likes this post

We are on a security mailing listserv and recieved the following horrible news about a piece of malware that not only encrypts files, but seeks out to encrypt backups as well. Here is the initial copy of the alert:

------

A FBI FLASH Alert related to businesses infected with a ransomware variant known as MSIL/Samas.A has been posted to the InfraGard system.

Summary
The threat of ransomware continues to grow due to the relative availability of necessary tools, as well as the potential for extorting large sums of money. Modern ransomware uses strong encryption to render victims files unreadable until the attackers are paid, often in Bitcoin, and release the encryption keys. In a new scheme, cyber criminals attempt to infect whole networks with ransomware and use persistent access to locate and delete network backups.


------


What are some best air-gapped backup practices to keep our Veeam backups protected from such a dire situation? In the listserv, some people were responding that after they backup to disk, they backup to tape, in which the tape ejects after the backup is written to it. Or another poster copies their backup to external usb storage which is unplugged as soon as the job completes.

We use an Exagrid appliance that takes advantage of the Exagrid accellerated data mover. There is a username and password defined in both the Exagrid and in Veeam. I would imagine that the only way to access the veeam backups would be if Veeam or one of its proxies themselves would become affected. We have two servers that have two nics to access Exagrid. Exagrid is on our 10.250 storage switch (10gbe) along with storage interfaces of VMWare and an NFS backed EMC VNX 5200. These two veeam proxies have a nic in our standard production LAN, and a second nic in this storage lan. Nothing else has access except a physical domain controller that uses this transport (10.250) subnet for "Windows Server Backup" to a utility share on Exagrid.

Is this enough protection? Is my CIO just a little over cautious on this one? I don't think you can be too careful now that the crooks out there are getting tougher. Microsoft states that Ransomware:MSIL/Samas.A is severe. The malware is dropped in the <system folder> as samsam.exe with a key <ComputerName>_PublicKey.xml which is used to encrypt the file in the system. We already blocked exe's by the name of samsam.exe with our AV software, and we created an alert in our ObserveIT application to email an alert if a process runs in this name.
kjstech
Expert
 
Posts: 142
Liked: 14 times
Joined: Fri Jan 17, 2014 4:12 pm
Full Name: Keith S

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby Gostev » Tue Feb 23, 2016 3:47 pm 2 people like this post

Well, what is "enough" protection for one company, may not be nearly enough for another... it all depends on the amount of money at stakes behind the data you are protecting. But here are some general recommendations:

1. Any separate storage device that is not directly write-accessible from compromised servers by industry-standard protocols (SMB, NFS) is "good enough" protection from CryptoLocker. But the storage device should use its own set of credentials (not from local directory, and not local accounts of the storage device). Additionally, you want that storage device located off-site. Cloud Connect service provider is ideal for this, and we actually have a recent success story posted on this forum where Cloud Connect saved the user from CryptoLocker.

2. I personally always recommend using tape whenever possible as the last line of defense. Even if it just a monthly export. Tape is true read-only storage that is also much more reliable than disk. I saw tape backups saving companies from worst disasters so many times... and, I also saw every line of comprehensive disk-based protection strategy failing miserably, leaving users with unrecoverable data loss.
Gostev
Veeam Software
 
Posts: 21596
Liked: 2401 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby Gostev » Tue Feb 23, 2016 3:57 pm

Even more importantly, don't get too obsessed about CryptoLocker specifically. Upset employee deleting all your production data and backups is as likely, really. Storage-level corruption, fire, flood (including beer spill ;)) are also way more common than most think they are. So, always consider all threats to your data, don't get hung up on specific ones. And looking at the bigger picture, you will see that the only way to truly protect yourself from all threats is to have a read-only backup copy in a secure location off-site. All other solutions are cost/risk compromise.
Gostev
Veeam Software
 
Posts: 21596
Liked: 2401 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby dellock6 » Tue Feb 23, 2016 4:00 pm

Off site AND off line.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 5136
Liked: 1375 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby infused » Tue Feb 23, 2016 11:18 pm

Off-site is the best bet. For customers not on our infrastructure, we replicate using shadow protect, for this very reason.
http://www.infused.co.nz - My Blog.
infused
Enthusiast
 
Posts: 96
Liked: 4 times
Joined: Sat Apr 20, 2013 9:25 am
Full Name: Hayden Kirk

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby rreed » Wed Feb 24, 2016 2:07 am 2 people like this post

Gostev wrote:2. I personally always recommend using tape whenever possible as the last line of defense. Even if it just a monthly export. Tape is true read-only storage that is also much more reliable than disk. I saw tape backups saving companies from worst disasters so many times... and, I also saw every line of comprehensive disk-based protection strategy failing miserably, leaving users with unrecoverable data loss.

Having walked into a my current position where the company had already invested in dedupe devices and pretty much already abandoned their old tape library, I recommended they buy into a new library to augment their dedupe storage that, at best, had about 30 days' worth of storage, and give us monthly/quarterly/yearly archives, as well as permanent storage for decomissioned VM's. We got into one for relatively cheap and they said why not. One external audit later, the auditors gave us an atta-boy for having the tape storage, sighting things like the crypto-locker that will sit dormant for 3-6 months before waking up and wiping out backups. Well beyond our ~30 days. Having tape backup would get you back to at least *something*, even if it might be a month old, or however depending upon how often you write to tape. So, again, respectfully to all, TAPE IS NOT DEAD. Sorry dedupe sales guys.
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)
rreed
Expert
 
Posts: 354
Liked: 72 times
Joined: Tue Jun 30, 2015 6:06 pm

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby masonit » Wed Feb 24, 2016 9:52 am

Hi Gostev

What are you thoughts about Endpoint backup then? When backup to VBR server you have to open up ports for SMB traffic between EP client and VBR server. Not a ideal solution. :)

\Masonit
masonit
Service Provider
 
Posts: 141
Liked: 10 times
Joined: Tue Oct 09, 2012 2:30 pm
Full Name: Magnus Andersson

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby Gostev » Wed Feb 24, 2016 1:30 pm 1 person likes this post

Hi. That's not entirely correct. Backup from VEB to Veeam backup repository is done through the proprietary protocol. There is no need to open up ports for SMB traffic between EP client and VBR server, as SMB traffic only flows between the gateway server specified in shared folder repository setting, and the share. While source data mover (running on the endpoint) and target data mover (running on the gateway server) chat with each other using the proprietary protocol. So, you're safe until someone builds CryptoLocker that is specifically designed to attack Veeam repositories.
Gostev
Veeam Software
 
Posts: 21596
Liked: 2401 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby larry » Wed Feb 24, 2016 3:35 pm

Veeam controlling the SAN snapshots would also be safe.
larry
Expert
 
Posts: 383
Liked: 90 times
Joined: Wed Mar 24, 2010 5:47 pm
Full Name: Larry Walker

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby masonit » Wed Feb 24, 2016 3:45 pm

Ok thanks for the info. Seems to be something I have totally missed, my bad. I am trying to find more info about this gateway server thing. :) Looking at the user guide for VEB but can't find much info about the gateway there. Where to look?

\Masonit
masonit
Service Provider
 
Posts: 141
Liked: 10 times
Joined: Tue Oct 09, 2012 2:30 pm
Full Name: Magnus Andersson

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby Gostev » Wed Feb 24, 2016 10:08 pm

Veeam Help Center (Technical Documentation) > Veeam Backup & Replication > User Guide for VMware vSphere > Administration > Setting Up Backup Infrastructure > Assigning Roles of Backup Infrastructure Components > Configuring Simple Backup Repositories > Adding Simple Backup Repositories > Step 5. Specify Server or Shared Folder Settings > Shared Folder
Gostev
Veeam Software
 
Posts: 21596
Liked: 2401 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby EzE » Mon Feb 29, 2016 7:43 pm

Similar to kjstech, I am worried about the affects of a Cryptolocker virus. I'm not as concerned about the machine itself being the source of an infection, but more so an admin getting a cryptolocker that spreads to domain joined machines. Our backup repository is disk on the Veeam server itself. The machine is domain joined, and there is a domain service account used for application aware guest processing. My thought is to remove the machine from the domain and create an isolated admin account, so that regular domain admins don't have access to the backup directory. I would assume my backups would still function since the local veeam install will have access to the machine's directories? I would still use the domain service account for the guest processing. Am I thinking about this correctly? Any more suggestions?

Thanks!
EzE
Influencer
 
Posts: 10
Liked: never
Joined: Fri Feb 06, 2015 3:48 pm
Full Name: Eric H

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby larry » Mon Feb 29, 2016 9:43 pm

I have always used a non domain server for my Veeam servers. Never had an issue besides entering the user name, sometimes you need localservername\localaccount. Sometimes it needs just a localaccout name. I did add the Veeam servers into DNS. I have a Domain Veeam user for the application aware processing but user has no rights to the Veeam backup files or servers. My Domain admins have no rights to the Veeam server, no files shares on Veeam. To restore a file we restore to the desktop and move, lots of files we restore right to the server.

Our iscsi and NFS are one their own subnet with no routing accept to other iscsi and NFS subnets. Veeam has a NIC on this subnet.

Our admins have no internet or email for their domain admin account. All the admin terminals are VMs. They use their non-domain admin account to login to a computer then remote into their admin PC with the Domain Admin account.
larry
Expert
 
Posts: 383
Liked: 90 times
Joined: Wed Mar 24, 2010 5:47 pm
Full Name: Larry Walker

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby LikenTheVirtual » Mon Feb 29, 2016 10:30 pm

We expect to finally get away from tape using this:

https://aws.amazon.com/blogs/aws/glacier-vault-lock

Summary - you can have an AWS vault be a write-once-read-many data store

Was wondering if anyone else has experience with it?
LikenTheVirtual
Lurker
 
Posts: 1
Liked: never
Joined: Fri Sep 06, 2013 2:51 pm
Full Name: Russ

Re: New ransomware that targets backups. Are we susceptible

Veeam Logoby Gostev » Tue Mar 01, 2016 12:19 am 1 person likes this post

You're not really getting away from tape by using Glacier, as it is backed by tape as well ;)
Gostev
Veeam Software
 
Posts: 21596
Liked: 2401 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Next

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: No registered users and 7 guests