Ransomeware detection idea

Availability for the Always-On Enterprise

Ransomeware detection idea

Veeam Logoby Blue407 » Mon Feb 27, 2017 10:42 am

Morning All

I've been giving some thought to Ransomware of late, I feel in large enterprises, its only a matter of time before you get an infected PC and probably some network data.

Thinking about network shares, from what I inderstand, Ransomware will encrypt every single file it can access.
With regular backups every 2 hours, you would suddenly see a massive jump in the amout of data changed, could we set an alert for this?

I know it wouldn't stop infection, but it may help to know about it faster?
Blue407
Enthusiast
 
Posts: 44
Liked: 9 times
Joined: Tue Apr 12, 2016 2:14 pm
Full Name: Paul Thomas

Re: Ransomeware detection idea

Veeam Logoby b.vanhaastrecht » Mon Feb 27, 2017 10:53 am 2 people like this post

I think an better place would be to monitor your file servers for "files open". As this amount would increase very rapidly when an encryptor hits an share. You could even write an session blockage if an set threshold is reached.

Also, file screening can help you in the prevention of randsomware: http://olivermarshall.net/using-file-sc ... ptolocker/
========================================
Veeam ProPartner and Cloud Connect Provider
b.vanhaastrecht
Service Provider
 
Posts: 344
Liked: 68 times
Joined: Mon Aug 26, 2013 7:46 am
Location: The Netherlands
Full Name: Bastiaan van Haastrecht

Re: Ransomeware detection idea

Veeam Logoby v.Eremin » Mon Feb 27, 2017 12:26 pm

For now there is an alarm in Veeam ONE called "Possible ransomware activity" that gets triggered whenever there is abnormal increase in both CPU usage and datastore write rate. Might be a good place to start with. Thanks.
v.Eremin
Veeam Software
 
Posts: 13701
Liked: 1020 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Ransomeware detection idea

Veeam Logoby Delo123 » Thu Mar 02, 2017 9:12 am

the ransomware detected in veem ONE seems to be triggered (only?) by heavy write activity. We get alarms when saving bigger Excel files, doing Database backups, replay logs etc... After a while our guys tend to "ignore" these, for us we went with file screening on the fileservers and whitelisting all applications on the terminal servers together with av from Cylance. So far so good
Delo123
Expert
 
Posts: 355
Liked: 102 times
Joined: Fri Dec 28, 2012 5:20 pm
Full Name: Guido Meijers


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], cosmin.ciobanu, mcz, nijo79 and 4 guests