Comprehensive data protection for all workloads
Post Reply
mkaec
Expert
Posts: 292
Liked: 61 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by mkaec » Jul 24, 2018 2:04 pm 1 person likes this post

SimonS wrote:...
In this case Data mover is running on linux repository, and backup files are not visible to Windows world
...
I imagine an attacker could still use the Veeam UI to delete the files.

The best non-airgapped solution I've heard of is a cloud provider that will not honor delete requests unless the files are of a certain age.

billcouper
Service Provider
Posts: 62
Liked: 17 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by billcouper » Jul 25, 2018 7:14 am 1 person likes this post

@mkaec "Backup file deletion prevention" is a feature Veeam Cloud Connect supports :)

SimonS
Novice
Posts: 7
Liked: 3 times
Joined: Jan 26, 2018 11:19 am
Full Name: Simon Setina
Location: Slovenia
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by SimonS » Jul 26, 2018 9:29 am 1 person likes this post

mkaec wrote:...

I imagine an attacker could still use the Veeam UI to delete the files.
If you have access to Veeam UI you can do anything :) .

But, we are taking about Ransomware and deleting/encrypting backup files. in this case, you must prevent easy acces to this files.To do that, is the best way using devices with no directy access (CIFS/NFS/local file system), but external boxes, Linux (SSH, Data mover), ExaGrid (Data mover), DataDomain (DDbost) and HPE StorOnce (Catalyst). Linux is cheapest solution.
DataDomain have feature Retention Lock, which prevent deleting/changing files until expiration period. Retention Lock work only wtih NFS/CIFS not with DDbost.

The best way to prevent delete your backups and have it localy is still old fashioned tape libraries 8).

CloudMSP
Service Provider
Posts: 30
Liked: 11 times
Joined: Jul 16, 2017 5:39 am
Full Name: Veeam MSP
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by CloudMSP » Jul 30, 2018 10:33 am

We have a local BDR server onsite running Windows Server, it's the B&R server, if we keep this off the domain, and have unique passwords, and AV. Will this protect it from getting crypto for the most part? Login to the BDR is only from Screen Connect and not from the customer LAN or servers.

Gostev
SVP, Product Management
Posts: 23650
Liked: 3125 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by Gostev » Jul 30, 2018 12:06 pm

CloudMSP wrote:We have a local BDR server onsite running Windows Server, it's the B&R server, if we keep this off the domain, and have unique passwords, and AV. Will this protect it from getting crypto for the most part? Login to the BDR is only from Screen Connect and not from the customer LAN or servers.
Not fully, because your backups are online. Passwords can be obtained by hackers via keyloggers, sniffers, social engineering etc. Also, what some of your co-workers may get upset and sicks ransomware there (or just deletes all backups)... you'd be surprised how often this happens.

Secure design is definitely adds a good level of protection, but only offline backups in a fireproof safe can give you 100% assurance.

Niksavoy
Novice
Posts: 6
Liked: never
Joined: Sep 24, 2013 3:46 pm
Full Name: Nikolay Savov
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by Niksavoy » Aug 14, 2018 1:43 pm

I want to share the situation I encountered yesterday with my client.
Recently, the VBR solution was transformed with this client as a backup server on physical machine with 2012 R2 with local drives and running VBR server, Backup proxy and Repository functions, as well as several virtual Backup proxies.
Also has not yet been expanded and finished.
I was saying IT WAS because yesterday the customer found that five days ago it was completely encrypted, including backup files.
It was hit by CMB Dharma Ransomware, Cryptovirus
Unfortunately, still did not have backup-copy or replication for objective reasons.

Luckily, no other machine from the production was affected
Or to say for now ?

I use Veeam from v 7 now I understand that my approach obviously needs to change and obviously Backups, backup-copys, DR Replications, DR Backup-Copy in multiple places seems to be vulnerable to similar attacks.
As I read the previous few pages, I thought of the following solution to the problem - i want to share you opinion :

A QNAP QSync application is installed on the Windows Server Backup Repository pointing to the folder containing Backups-Copy from Veeam BR
in this way in real-time folders are synchronized with the QNAP storage where Volume-Snapshots are activated for a period of 30 days, for example
On QNAP we have enabled the Network Recycle Bin-a so deleted files are not deleted from QNAP - only admin can do so but not the Account for QSYNC

How do I imagine it?
QNAP NAS connection credentials remain hidden in the QSYNC application - it connects through HTTPS port 443 to QNAP-a (LAN or WAN for off-site )
There is no link in Veeam for this resource at all also aint in windows it self.
Even if you get encryption QNAP Volume snapshots can restore the entire Volume with a mouse keyboard and monitor to QNAP itself - if you have ecncrypted file restore -1 step .....
When deleted, the files will also remain on QNAP just for admin usage
QNAP NAS also supports RSync to other QNAP NAS - even Volume Replication - can be expanded as a configuration


Is it interesting to share your opinion on such a solution for any hidden obsticles i have missing ?

Kind Regards
Niksavoy

Post Reply

Who is online

Users browsing this forum: No registered users and 30 guests