Different ransomware strains do things differently. Some will create a new copy of a file during encryption and then delete the old one when completed, and these might be stopped by blocking file extensions, but others will encrypt in-place and rename after the fact. In case of those, all you're doing is preventing the file from being renamed, making it hard to identify which files were hit; the data is still encrypted.
If you're doing FSRM, make sure you're taking advantage of its ability to send alerts. I personally use it to run scripts as well as alerting me. That way, under the right conditions, it will take automated action to limit the damage.
MOBO wrote:how about if the repository is a standalone server and veeam program is the only system that has the credentials , am i still at risk for malware to delete backups ?
Mike Resseler wrote:The authentication details are stored in the DB and certainly not easily readable. That data in the DB is encrypted and you cannot just decrypt that. But that being said, a very specific written Trojan might succeed in getting that information out and then access the NAS and encrypt your backup files. Far fetched? Maybe, possible, unfortunately.
dellock6 wrote:Actually you don't need this tool at all. Let's not forget that the goal here is not to steal data, it's to steal money. So I don't even need probably to open a Veeam console, I may target directly Veeam repositories to delete backup copies, so that the encrypted files are the only copies, so to force the victim to pay. If you read that thread on Reddit, the attacker encrypted the files, but then they just formatted veeam repos, they didn't need to encrypt those backups or anything else. Air gapping is the only real defense here.
y1008946 wrote:Are the NetApp snapshots protected or are they at risk too?
Users browsing this forum: Bing [Bot] and 42 guests