Protecting from Ransomware

[handian.sudianto]

HI..

What best pratice should we follow to protecting our backup from ransomware attack?

[HannesK]

Hello,
against encryption: use Hardened Repository or immutable object storage (capacity tier) or (WORM) tape

https://helpcenter.veeam.com/docs/backu ... _tier.html
https://helpcenter.veeam.com/docs/backu ... itory.html
post402811.html#p402811

against exfiltration: backup cannot do anything against it

Best regards,
Hannes

[handian.sudianto]

Hello,

can we trigger some script to be execute after veeam finished do the backup? I want to make the disk is offline after all backup running.

[HannesK]

Hello,
yes, please see the user guide

Best regards,
Hannes

[Regnor]

Just keep in mind that an offline disk can be set online again. If the ransomware has some intellegence or you have someone active on your server, you can be sure that the disk and it's content will be lost.
It may be an additional layer of security but not protect against everything.

[HannesK]

ah, I thought with "offline" he means sending it physically offline for example with an IP power strip

Windows offline is useless, agree.

[wotik]

I use RDX drives and cartridges that are ejected from the drive after the backup is made. Such a tape is truly offline

[TimoW]

Hello,
sorry for hijacking this thread, but I think it belongs to the topic.

I had heard of a case where a company was completely encrypted. The attackers had already established themselves in the network weeks/months before and had also diligently leaked data. The Backups was left unencrypted (secured separately) and the last 14 days were available as restore points. Nevertheless, the commissioned forensic expert had recommended that the entire environment be completely set up, since it could be assumed that the backup had also been compromised.
Is the recommended action in such a scenario to "run a malware scan while restoring the VMs"? Or have I possibly missed something and there are other defenses against ransomware?

Kind regards,
Timo

[cpfleger]

You can use Secure Restore with either Full or Instant VM recovery.

In both cases the scan for infections (on backups of Windows systems only, NOT available for Linux systems) will be done BEFORE but not while restoring so keep in mind that this will take some time.

Secure restore is indeed recommended by Veeam after a ransomware infection.

Hope that helps and matches your post.

[Edited: typos]

[Hanuta]

Hello,

just wanted to point to a good public summary for creating an immutable repository with linux:
https://www.experts-exchange.com/articl ... ation.html

Even with no linux knowledge it is quiet easy to implement.

Regards
Hanuta

[alesovodvojce]

@cpfleger

...the scan for infections (on backups of Windows systems only, NOT available for Linux systems) will be done BEFORE but not while restoring ...

are you saying that
- Veeam reads entire virtual harddisks' contents from backup for antivirus scan; and if everything negative
- Veeam reads entire virtual harddisks' contents from backup again in order to transfer to recovery destination?

how about considering approach that seems more effective
- Veeam reads entire virtual harddisks' contents from backup for recovery destination
- the A/V scan and forensis is done on target recovery destination

The proposal seems to make an half I/O load on backup storage. Why that matters? For RTO and also because the incident response team might need to collect & examine all recovered backups (either a/v negative or positive) anyway to confirm the attack timeline hypothesis. The backup admins won't let them work on backup infrastructure, will they? (I have no experience here)

The proposed solution is not implemented in Veeam.
The question is:
in which cases will be Veeam's Secure restore a better option?

[cpfleger]

@alesovodvojce

You can read yourself through the procedures here:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

are you saying that
- Veeam reads entire virtual harddisks' contents from backup for antivirus scan; and if everything negative
- Veeam reads entire virtual harddisks' contents from backup again in order to transfer to recovery destination?

That's the way it goes as far as I understood and saw it in RL.
And, as I am not employeed at Veeam but just explaining the feature in short words, you bark at the wrong tree here (;

how about considering approach that seems more effective...

Feel free to post a new feature request in this forum if you want Veeam to offer a different approach (best to mention FR or feature request in the Subject) - FRs are one reason for the forum's existence.

Feel also free to recommend a different approach if you want.

[Edited: added for clarification]

[YouGotServered]

All, please keep in mind that while secure restore is a GREAT feature, it is not going to protect against the thing that causes cybersecurity experts the most worry in a restore - that you are going to restore a legitimate, non-malware backed method of entry of them. If the attacker created or took over a seemingly inconspicuous user account and configured VPN / RDS / or other company approved means of access, restoring the environment with a malware scan will not detect that since they are getting in using legitimate methods.

We went through a scenario in which a client was compromised and lost everything, EXCEPT their backups (patting myself on the back for the Veeam hardening I did for them). The cybersecurity expert recommended (rightly so) a full rebuild as the attacker was able to get in via a legitimate access method that did not trip malware alarms. The business did not want to go that route (completely understandable as they had years of custom application development into their line of business apps) and instead opted to do a restore. Of course, we scanned restored data for malware, none was found. We also reset every single password in AD (including 100% of the MFA tokens), firewalls, switches, wiped every computer and reimaged, wiped and rebuilt every ESXi host, and updated the firmware of every single device on the network, printers and phones included, before bringing the network back online. We were never able to determine how the attacker got in, but by doing all the things we did above, we could be 99% certain we closed their method of entry.

But - never 100%. That was the risk we chose to take.

Stay frosty, friends.

[stmux]

ah, I thought with "offline" he means sending it physically offline for example with an IP power strip

Windows offline is useless, agree.

I have been using this method for my small business clients for quite some time. Both powered USB and Ethernet Switch controlled by GE CYNC plugs. The powered off components cannot be turned on by Ransomware. With wireless CYNC plugs the time syncs with the computers so there is no drift and scheduled backups are run within a set window of time. Most setups use a 1 hour time window to complete their differential backups which leaves the devices offline for 23 hours per day. I can also control all my devices remotely to do manual backups, if needed. Obviously, this won't work for enterprise setups, but for small businesses where keeping cost down is essential this method works nicely. Most companies agree to make offsite copies periodically should a worst case scenario occur.
mux

[tgx]

Hello,

just wanted to point to a good public summary for creating an immutable repository with linux:
https://www.experts-exchange.com/articl ... ation.html

Even with no linux knowledge it is quiet easy to implement.

Regards
Hanuta

As an aside there is no provision in that article for systems that do not automatically create/add users to groups based on
the default template. The command to change the ownership of the filesystem mount point will thus fail with 'invalid group'. For a no knowledge
admin that would likely be a showstopper.