Yes, Ransomware can delete your Veeam backups.

Availability for the Always-On Enterprise

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby miconib » Fri Jun 22, 2018 10:07 am

What we have done and i'm not sure if anyone wants to add in there own snip about it is, the following

Since we mostly have small to mid size customers

For lager customers
Separate VMWARE server
Virtual Machine Running Veeam "Not on the domain, Completely difrent set of usernames and passwords for the admin account and there is only one admin account"
It is however on the same network, but it's completely locked unless you know the admin password "Which is different"
We make a veeam local backup
If the Server gets hit or has a hardware problem we spin it up on the secondary vmware server, we also use cloud connect as well but this is more for quick restore times "The local backup is"

For Smaller customers
On the same VMWARE server
Virtual Machine Running Veeam "Not on the domain, Completely difrent set of usernames and passwords for the admin account and there is only one admin account"
It is however on the same network, but it's completely locked unless you know the admin password "Which is different"
We make a veeam local backup
If the Server gets hit we spin it up on the same vmware server, we also use cloud connect as well but this is more for quick restore times "The local backup is"

what do you guys think ?
miconib
Lurker
 
Posts: 1
Liked: never
Joined: Fri Jun 22, 2018 9:49 am
Full Name: Brandon Miconi

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby michaelyou » Fri Jul 06, 2018 6:00 pm

I think Veeam need to provide a proactive protection for ransomware issue.
This is because Veeam is image-based backup solution on Windows OS. (Just like Backup Exec or Ghost)
Therefore, vbk and vib files become targets of viruses or malware.
Currently, we use a powershell script to change the file extension to a custom string on each backup job. (prescript and postscript)

However
Commvault : Provide many methods to protect backup data from ransomware.
Unitrends and Rubrik : Hardened linux-based appliance.

https://documentation.commvault.com/com ... p=7722.htm
https://www.unitrends.com/solutions/ran ... protection

How about Veeam ?
michaelyou
Novice
 
Posts: 3
Liked: 1 time
Joined: Fri Jul 06, 2018 3:19 pm
Full Name: michael

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby mikeely » Fri Jul 06, 2018 6:36 pm

Our backups are being written (via NFS) to a ZFS share which takes regular snapshosts. Pretty sure the ransomware wouldn't be able to access those as the Linux vbr/headend can't see them, although if we somehow missed the attack until after the snaps expired...
Unless otherwise specified, I am asking about something pertaining to Linux. We use Windows as infrequently as possible, and enthusiastically seek ways to reduce that usage further.
mikeely
Enthusiast
 
Posts: 67
Liked: 10 times
Joined: Mon Nov 07, 2016 7:39 pm
Full Name: Mike Ely

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby Gostev » Fri Jul 06, 2018 11:37 pm

Right, Veeam supported Linux-based repositories since v1. So if you believe using hardened Linux-based backup repository actually helps against real-world attacks - then by all means, you should use them. I personally recommend air gapping backup instead, seeing how almost all successful attacks we've seen in support were carried out from inside by the hacker having sniffed/keylogged credentials to all critical IT systems... the only role actual ransomware had in all these cases was letting the hacker into the environment.
Gostev
Veeam Software
 
Posts: 22400
Liked: 2675 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby michaelyou » Sat Jul 07, 2018 4:36 am

Hi mikeely ,

Thank you so much for your sharing about your scenario for the backup repository.

Hi Gostev ,

Thank you so much for your reply. I know the "air gap" is the ideal solution for data security and ransomware attack.
However if we implement air gap solution in the real world that means the RTO will be reduce due to isolated from the production environment. that is why I hope Veeam can do more proactive protection about this.
This is not only the "leader supplier" of Veeam in the Gartner report! However, like other competitors like Acronis, there is also "Active Protection". Why is Veeam not ? I hope Veeam can solve this issue from the root.
michaelyou
Novice
 
Posts: 3
Liked: 1 time
Joined: Fri Jul 06, 2018 3:19 pm
Full Name: michael

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby Gostev » Sat Jul 07, 2018 8:06 pm

Veeam does not have it because it is a marketing gimmick that does nothing besides giving you a false sense of protection. Such features are an actual disservice to the users, because they make them think they are well protected and can skip on implementing the proper solution (air gapped backups). It's not until after the actual attack when these users learn that solutions of this kind take seconds to be uninstalled (or simply disabled) by the hacker, thus adding zero extra protection to your backups.

I don't know if you followed Veeam forum digests in the past couple of years, because I've been sharing there many of the actual attack stories that we saw in our support. All of them clearly showed, in particular, how this type of "backup protection solutions" have zero value against real-world cyberattacks.
Gostev
Veeam Software
 
Posts: 22400
Liked: 2675 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby F182 » Sun Jul 08, 2018 2:32 pm 1 person likes this post

I am very sorry for those that have been attacked by these ransom/viruses.

Though, this thread is quite surprising to me. We have been implementing 3-2-1 backup practices for almost 30 years and the concept was well established in the industry before then. See summary of 3-2-1: https://www.veeam.com/blog/how-to-follow-the-3-2-1-backup-rule-with-veeam-backup-replication.html.

Offsites are critical and not a want-have they are a must-have. There are a lot of options available. You can use portal media. Cloud repository. Etc etc.

For example, we are much beyond 3-2-1. We have the main backup repository. We have a copy job to portable media repository. We have a copy job to cloud repository. Our cloud repository has a backup of it's entire box to Azure backup (these backups go a long long way back).

It may seem like overkill, but if you want to sleep at night and have the confidence that the OP put in his first post, these are the steps that are needed.

Good luck everyone
F182
Service Provider
 
Posts: 16
Liked: 2 times
Joined: Sun Jun 03, 2018 3:13 pm
Full Name: Farzon David Almaneih

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby mvalpreda » Tue Jul 10, 2018 1:58 am 1 person likes this post

While not a replacement for air-gapped off-site backups.....if nothing else get a Synology (or other NAS) that does snapshots. Send backups to Synology, schedule a snapshot after your backups, and make sure you are not presenting snapshots to the OS. Make sure the login for your NAS is a different password than the admin password and not stored in the browser cache or password manager. We typically do iSCSI to take advantage of 9.5 + 2016 + ReFS.

If your backups get hosed, apply a snapshot. It's like nothing happened. Tested a few times and works great. Short of someone getting into your NAS and deleting the snapshots, you're in pretty good shape.
mvalpreda
Enthusiast
 
Posts: 37
Liked: 1 time
Joined: Wed May 06, 2015 10:57 pm
Full Name: Mark Valpreda

Previous

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Google Feedfetcher, gpomanti, meetoo and 53 guests