Yes, Ransomware can delete your Veeam backups.

Availability for the Always-On Enterprise

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby CloudMSP » Sun Aug 06, 2017 2:31 am

All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".

Guys I am a MSP with 40+ clients running Veeam to a local dedicated BDR server with local storage, and then cloudconnect to our datacenter. Can someone break it down, what would be the most cost effective way to ensure these backups are as safe as possible for all my clients?
CloudMSP
Influencer
 
Posts: 10
Liked: 9 times
Joined: Sun Jul 16, 2017 5:39 am
Full Name: Veeam MSP

[MERGED] Anyway to stop Veeam being able to delete backups?

Veeam Logoby itrabbit » Mon Aug 07, 2017 1:00 am

Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.
itrabbit
Influencer
 
Posts: 14
Liked: never
Joined: Thu Nov 24, 2016 6:50 am
Full Name: Matt Dunleavy

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby v.Eremin » Mon Aug 07, 2017 1:10 pm

Hi, Matt,

Have you thought about adding tapes or rotated drives to your backup strategy?

Thanks,
v.Eremin
Veeam Software
 
Posts: 13734
Liked: 1027 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby cbc-tgschultz » Mon Aug 07, 2017 1:38 pm

itrabbit wrote:Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.


I'm afraid that given:
All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".


This feature wouldn't actually offer that much protection. Veeam stores the credentials, so one must assume that if someone has access to the Veeam server, then they have access to those credentials and are a few simple steps from being able to delete your backups.

The solutions that come to mind:

1) Offline backups, such as the suggested tape backups. I personally don't like this as tape is quite inconvenient and rarely do people take the time to test them like they should.
2) Rely on features of the storage system. For instance, Nimble storage arrays can take block-delta snapshots as frequently as you like, with pretty much any retention period you like. If your files are deleted, just go back to the last known good snapshot. The problem here is that any attacker determined enough to get your Veeam server can probably take the time to get at your storage system too and just delete the snapshots.
3) Not-really-offline backups. I described this in an earlier post in this thread. Basically, set up another storage system that is completely inaccessible over the network, only being accessible through a physical monitor+keyboard in the server room, that can form one-way connections to the primary storage server for the purposes of copying backups to itself from there.
cbc-tgschultz
Enthusiast
 
Posts: 46
Liked: 9 times
Joined: Fri May 13, 2016 1:48 pm
Full Name: Tanner Schultz

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby aporter » Mon Aug 07, 2017 11:02 pm

1.5) Offline backups using rotating external hard drives.
aporter
Novice
 
Posts: 8
Liked: 1 time
Joined: Fri May 18, 2012 2:44 am
Full Name: Andrew Porter

[MERGED] Read only vbk/vib files?

Veeam Logoby Jacv » Mon Aug 28, 2017 4:43 am

Can existing vbk/vib files be set as read only?

My thinking is I can add another layer of security to my offsite DR (Linux SMB share over VPN) by changing RW access from the share user to RO by giving write permissions to root only after every backup.

I know I'd have to manually control retention policy and I still have airgapped backups but thought the extra defence layer would be worth it.
Jacv
Novice
 
Posts: 5
Liked: 3 times
Joined: Tue Apr 05, 2016 12:13 am

Re: Read only vbk/vib files?

Veeam Logoby DGrinev » Mon Aug 28, 2017 2:39 pm

Hi,

In order to provide the best data protection plan you should follow the 3-2-1 Rule.
Also, you can use Veeam Cloud Connect to store your data in the cloud on a Service Provider site.
Please review this thread with best approaches of backup file protection against deletion. Thanks!
DGrinev
Veeam Software
 
Posts: 632
Liked: 72 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev

Previous

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot] and 1 guest