Availability for the Always-On Enterprise
Post Reply
CloudMSP
Service Provider
Posts: 30
Liked: 11 times
Joined: Jul 16, 2017 5:39 am
Full Name: Veeam MSP
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by CloudMSP » Aug 06, 2017 2:31 am

All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".

Guys I am a MSP with 40+ clients running Veeam to a local dedicated BDR server with local storage, and then cloudconnect to our datacenter. Can someone break it down, what would be the most cost effective way to ensure these backups are as safe as possible for all my clients?

itrabbit
Influencer
Posts: 19
Liked: 6 times
Joined: Nov 24, 2016 6:50 am
Full Name: Matt Dunleavy
Contact:

[MERGED] Anyway to stop Veeam being able to delete backups?

Post by itrabbit » Aug 07, 2017 1:00 am

Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.

v.Eremin
Veeam Software
Posts: 15150
Liked: 1141 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by v.Eremin » Aug 07, 2017 1:10 pm

Hi, Matt,

Have you thought about adding tapes or rotated drives to your backup strategy?

Thanks,

cbc-tgschultz
Enthusiast
Posts: 50
Liked: 10 times
Joined: May 13, 2016 1:48 pm
Full Name: Tanner Schultz
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by cbc-tgschultz » Aug 07, 2017 1:38 pm

itrabbit wrote:Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.
I'm afraid that given:
All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".
This feature wouldn't actually offer that much protection. Veeam stores the credentials, so one must assume that if someone has access to the Veeam server, then they have access to those credentials and are a few simple steps from being able to delete your backups.

The solutions that come to mind:

1) Offline backups, such as the suggested tape backups. I personally don't like this as tape is quite inconvenient and rarely do people take the time to test them like they should.
2) Rely on features of the storage system. For instance, Nimble storage arrays can take block-delta snapshots as frequently as you like, with pretty much any retention period you like. If your files are deleted, just go back to the last known good snapshot. The problem here is that any attacker determined enough to get your Veeam server can probably take the time to get at your storage system too and just delete the snapshots.
3) Not-really-offline backups. I described this in an earlier post in this thread. Basically, set up another storage system that is completely inaccessible over the network, only being accessible through a physical monitor+keyboard in the server room, that can form one-way connections to the primary storage server for the purposes of copying backups to itself from there.

aporter
Novice
Posts: 8
Liked: 1 time
Joined: May 18, 2012 2:44 am
Full Name: Andrew Porter
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by aporter » Aug 07, 2017 11:02 pm

1.5) Offline backups using rotating external hard drives.

Jacv
Novice
Posts: 7
Liked: 3 times
Joined: Apr 05, 2016 12:13 am
Contact:

[MERGED] Read only vbk/vib files?

Post by Jacv » Aug 28, 2017 4:43 am

Can existing vbk/vib files be set as read only?

My thinking is I can add another layer of security to my offsite DR (Linux SMB share over VPN) by changing RW access from the share user to RO by giving write permissions to root only after every backup.

I know I'd have to manually control retention policy and I still have airgapped backups but thought the extra defence layer would be worth it.

DGrinev
Veeam Software
Posts: 1222
Liked: 129 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Read only vbk/vib files?

Post by DGrinev » Aug 28, 2017 2:39 pm

Hi,

In order to provide the best data protection plan you should follow the 3-2-1 Rule.
Also, you can use Veeam Cloud Connect to store your data in the cloud on a Service Provider site.
Please review this thread with best approaches of backup file protection against deletion. Thanks!

chrsm
Novice
Posts: 3
Liked: never
Joined: Mar 27, 2014 1:26 pm
Full Name: Christian Schmidt-Møller
Contact:

[MERGED] Securing offside backup

Post by chrsm » Jan 04, 2018 10:43 am

I am designing a new veeam solution for a customer. We design the solution to do a daily backup copy job to a repository on a remote site.
What is best practices for securing the data on the remote site to protect the data from being deleted from a hacker attack (ransomware etc.)
I can see that 9.3 U3 have a new feature to cloud connect customers, that keep the data on the cloud provider even if the data have been deleted. Do we have similar possibilities even if we are not cloud connect customer.

v.Eremin
Veeam Software
Posts: 15150
Liked: 1141 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by v.Eremin » Jan 04, 2018 3:51 pm 1 person likes this post

Do we have similar possibilities even if we are not cloud connect customer.
Nope, and you wouldn't benefit from such feature, even if we had it, as everything would still be controlled with the same access identity. Which is not the case with Cloud Connect scenario, where a customer is unable to reach a location where deleted data is stored.

So, without CC in equation, the most reliable solutions turned to be tapes and removable drives (think real "offline", "air-gapped" backups).

Thanks.

dellock6
Veeam Software
Posts: 5489
Liked: 1510 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by dellock6 » Jan 10, 2018 5:41 pm

One possibility however is VCC-E, that is Cloud Connect for Enterprise. It's technically the same solution as "regular" Cloud Connect, but it has specific requirements in terms of existing Enterprise License agreements to be eligible.
Otherwise, the bets option is to either deploy VCC and become yourself a service provider for your customer, or partner (as a reseller/broker...) with an existing Veeam service provider and resell their Cloud Connect.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com/en/
vExpert 2011-2012-2013-2014-2015-2016-2017-2018
Veeam VMCE #1

yowmemperor
Influencer
Posts: 20
Liked: never
Joined: Jan 08, 2018 5:19 pm
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by yowmemperor » Feb 13, 2018 8:18 pm

So this discussion has gone more than one page since I last read it. I apologize ahead of time for not taking time to read the other 6 pages.

So a script was mentioned to rename the backup files. Sounds like a good idea, however, I assume this effects Veeam's ability to run Synthetic full's, and backup maps? To run those, the script would have to be re-run to revert to the original file name just as we would with a restore? The Syth fulls and maps take a significant amount of time for us, are there other ideas aside from offline copies?

lxzndr
Novice
Posts: 8
Liked: 2 times
Joined: Jun 24, 2011 3:26 pm
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by lxzndr » Feb 27, 2018 9:31 pm

What connections are required for a "disconnected" server to obtain backups, or backup copies if that system is on the other side of a physical firewall device?

I saw mention of something like that where connections "To" that device are denied, and only allow connections "From" that device are allowed.
I would actually lean towards running backup jobs from it, instead of copy - that way it becomes an additional independent backup and avoids any issues if the original repository is unavailable.

Would that server only need access to vCenter? (doing Network backup) or I could include a Proxy for HotAdd?

kewnev
Enthusiast
Posts: 62
Liked: 19 times
Joined: Jun 17, 2012 1:09 pm
Full Name: Nev V
Contact:

Re: Read only vbk/vib files?

Post by kewnev » Mar 09, 2018 9:49 pm

DGrinev wrote:Hi,

In order to provide the best data protection plan you should follow the 3-2-1 Rule.
Also, you can use Veeam Cloud Connect to store your data in the cloud on a Service Provider site.
Please review this thread with best approaches of backup file protection against deletion. Thanks!
Hello, is using Veeam Cloud Connect (VCC) as secure as using rotated drives? Let's say a hacker/malware gets in to my network and wiped out all my data and on-site backups. Could they also extract VCC credentials from my Veeam configuration, then connect to my VCC provider and wipe out my backups there?
(I have never used VCC, apologies if I sound ignorant..!)

Gostev
Veeam Software
Posts: 22994
Liked: 2890 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by Gostev » Mar 09, 2018 10:09 pm

Not if your service provider has Insider Protection feature enabled.

Phate1989
Lurker
Posts: 1
Liked: never
Joined: Apr 05, 2018 4:45 pm
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by Phate1989 » Apr 05, 2018 4:47 pm

Unitrends is using this post in their marketing.

Post Reply

Who is online

Users browsing this forum: ag_ag, andreaf-it, bavo.vdk, Bing [Bot] and 63 guests