Yes, Ransomware can delete your Veeam backups.

Availability for the Always-On Enterprise

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby CloudMSP » Sun Aug 06, 2017 2:31 am

All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".

Guys I am a MSP with 40+ clients running Veeam to a local dedicated BDR server with local storage, and then cloudconnect to our datacenter. Can someone break it down, what would be the most cost effective way to ensure these backups are as safe as possible for all my clients?
CloudMSP
Service Provider
 
Posts: 26
Liked: 10 times
Joined: Sun Jul 16, 2017 5:39 am
Full Name: Veeam MSP

[MERGED] Anyway to stop Veeam being able to delete backups?

Veeam Logoby itrabbit » Mon Aug 07, 2017 1:00 am

Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.
itrabbit
Influencer
 
Posts: 15
Liked: never
Joined: Thu Nov 24, 2016 6:50 am
Full Name: Matt Dunleavy

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby v.Eremin » Mon Aug 07, 2017 1:10 pm

Hi, Matt,

Have you thought about adding tapes or rotated drives to your backup strategy?

Thanks,
v.Eremin
Veeam Software
 
Posts: 14722
Liked: 1102 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby cbc-tgschultz » Mon Aug 07, 2017 1:38 pm

itrabbit wrote:Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.


I'm afraid that given:
All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".


This feature wouldn't actually offer that much protection. Veeam stores the credentials, so one must assume that if someone has access to the Veeam server, then they have access to those credentials and are a few simple steps from being able to delete your backups.

The solutions that come to mind:

1) Offline backups, such as the suggested tape backups. I personally don't like this as tape is quite inconvenient and rarely do people take the time to test them like they should.
2) Rely on features of the storage system. For instance, Nimble storage arrays can take block-delta snapshots as frequently as you like, with pretty much any retention period you like. If your files are deleted, just go back to the last known good snapshot. The problem here is that any attacker determined enough to get your Veeam server can probably take the time to get at your storage system too and just delete the snapshots.
3) Not-really-offline backups. I described this in an earlier post in this thread. Basically, set up another storage system that is completely inaccessible over the network, only being accessible through a physical monitor+keyboard in the server room, that can form one-way connections to the primary storage server for the purposes of copying backups to itself from there.
cbc-tgschultz
Enthusiast
 
Posts: 48
Liked: 10 times
Joined: Fri May 13, 2016 1:48 pm
Full Name: Tanner Schultz

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby aporter » Mon Aug 07, 2017 11:02 pm

1.5) Offline backups using rotating external hard drives.
aporter
Novice
 
Posts: 8
Liked: 1 time
Joined: Fri May 18, 2012 2:44 am
Full Name: Andrew Porter

[MERGED] Read only vbk/vib files?

Veeam Logoby Jacv » Mon Aug 28, 2017 4:43 am

Can existing vbk/vib files be set as read only?

My thinking is I can add another layer of security to my offsite DR (Linux SMB share over VPN) by changing RW access from the share user to RO by giving write permissions to root only after every backup.

I know I'd have to manually control retention policy and I still have airgapped backups but thought the extra defence layer would be worth it.
Jacv
Novice
 
Posts: 7
Liked: 3 times
Joined: Tue Apr 05, 2016 12:13 am

Re: Read only vbk/vib files?

Veeam Logoby DGrinev » Mon Aug 28, 2017 2:39 pm

Hi,

In order to provide the best data protection plan you should follow the 3-2-1 Rule.
Also, you can use Veeam Cloud Connect to store your data in the cloud on a Service Provider site.
Please review this thread with best approaches of backup file protection against deletion. Thanks!
DGrinev
Veeam Software
 
Posts: 1008
Liked: 105 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev

[MERGED] Securing offside backup

Veeam Logoby chrsm » Thu Jan 04, 2018 10:43 am

I am designing a new veeam solution for a customer. We design the solution to do a daily backup copy job to a repository on a remote site.
What is best practices for securing the data on the remote site to protect the data from being deleted from a hacker attack (ransomware etc.)
I can see that 9.3 U3 have a new feature to cloud connect customers, that keep the data on the cloud provider even if the data have been deleted. Do we have similar possibilities even if we are not cloud connect customer.
chrsm
Novice
 
Posts: 3
Liked: never
Joined: Thu Mar 27, 2014 1:26 pm
Full Name: Christian Schmidt-Møller

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby v.Eremin » Thu Jan 04, 2018 3:51 pm 1 person likes this post

Do we have similar possibilities even if we are not cloud connect customer.

Nope, and you wouldn't benefit from such feature, even if we had it, as everything would still be controlled with the same access identity. Which is not the case with Cloud Connect scenario, where a customer is unable to reach a location where deleted data is stored.

So, without CC in equation, the most reliable solutions turned to be tapes and removable drives (think real "offline", "air-gapped" backups).

Thanks.
v.Eremin
Veeam Software
 
Posts: 14722
Liked: 1102 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby dellock6 » Wed Jan 10, 2018 5:41 pm

One possibility however is VCC-E, that is Cloud Connect for Enterprise. It's technically the same solution as "regular" Cloud Connect, but it has specific requirements in terms of existing Enterprise License agreements to be eligible.
Otherwise, the bets option is to either deploy VCC and become yourself a service provider for your customer, or partner (as a reseller/broker...) with an existing Veeam service provider and resell their Cloud Connect.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com/en/
vExpert 2011-2012-2013-2014-2015-2016-2017-2018
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 5354
Liked: 1454 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby yowmemperor » Tue Feb 13, 2018 8:18 pm

So this discussion has gone more than one page since I last read it. I apologize ahead of time for not taking time to read the other 6 pages.

So a script was mentioned to rename the backup files. Sounds like a good idea, however, I assume this effects Veeam's ability to run Synthetic full's, and backup maps? To run those, the script would have to be re-run to revert to the original file name just as we would with a restore? The Syth fulls and maps take a significant amount of time for us, are there other ideas aside from offline copies?
yowmemperor
Influencer
 
Posts: 18
Liked: never
Joined: Mon Jan 08, 2018 5:19 pm

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby lxzndr » Tue Feb 27, 2018 9:31 pm

What connections are required for a "disconnected" server to obtain backups, or backup copies if that system is on the other side of a physical firewall device?

I saw mention of something like that where connections "To" that device are denied, and only allow connections "From" that device are allowed.
I would actually lean towards running backup jobs from it, instead of copy - that way it becomes an additional independent backup and avoids any issues if the original repository is unavailable.

Would that server only need access to vCenter? (doing Network backup) or I could include a Proxy for HotAdd?
lxzndr
Novice
 
Posts: 8
Liked: 2 times
Joined: Fri Jun 24, 2011 3:26 pm

Re: Read only vbk/vib files?

Veeam Logoby kewnev » Fri Mar 09, 2018 9:49 pm

DGrinev wrote:Hi,

In order to provide the best data protection plan you should follow the 3-2-1 Rule.
Also, you can use Veeam Cloud Connect to store your data in the cloud on a Service Provider site.
Please review this thread with best approaches of backup file protection against deletion. Thanks!


Hello, is using Veeam Cloud Connect (VCC) as secure as using rotated drives? Let's say a hacker/malware gets in to my network and wiped out all my data and on-site backups. Could they also extract VCC credentials from my Veeam configuration, then connect to my VCC provider and wipe out my backups there?
(I have never used VCC, apologies if I sound ignorant..!)
kewnev
Enthusiast
 
Posts: 62
Liked: 19 times
Joined: Sun Jun 17, 2012 1:09 pm
Full Name: Nev V

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby Gostev » Fri Mar 09, 2018 10:09 pm

Not if your service provider has Insider Protection feature enabled.
Gostev
Veeam Software
 
Posts: 22209
Liked: 2628 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby Phate1989 » Thu Apr 05, 2018 4:47 pm

Unitrends is using this post in their marketing.
Phate1989
Lurker
 
Posts: 1
Liked: never
Joined: Thu Apr 05, 2018 4:45 pm

PreviousNext

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: mkretzer, Shestakov and 23 guests