Yes, Ransomware can delete your Veeam backups.

Availability for the Always-On Enterprise

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby CloudMSP » Sun Aug 06, 2017 2:31 am

All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".

Guys I am a MSP with 40+ clients running Veeam to a local dedicated BDR server with local storage, and then cloudconnect to our datacenter. Can someone break it down, what would be the most cost effective way to ensure these backups are as safe as possible for all my clients?
CloudMSP
Influencer
 
Posts: 14
Liked: 10 times
Joined: Sun Jul 16, 2017 5:39 am
Full Name: Veeam MSP

[MERGED] Anyway to stop Veeam being able to delete backups?

Veeam Logoby itrabbit » Mon Aug 07, 2017 1:00 am

Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.
itrabbit
Influencer
 
Posts: 15
Liked: never
Joined: Thu Nov 24, 2016 6:50 am
Full Name: Matt Dunleavy

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby v.Eremin » Mon Aug 07, 2017 1:10 pm

Hi, Matt,

Have you thought about adding tapes or rotated drives to your backup strategy?

Thanks,
v.Eremin
Veeam Software
 
Posts: 14038
Liked: 1051 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby cbc-tgschultz » Mon Aug 07, 2017 1:38 pm

itrabbit wrote:Hi all,

With the recent post of virus and malware and even hackers deleting veeam backups. The one thing that bothers me, is an administrator can logon to the Veeam console and simply go to the repository and click delete and it uses the Veeam stored credentials.

Is there anyway to stop Veeam console from allow a user to directly delete backups. I am find if veeam is doing its retention policy and all magical stuff. But how do I stop simple users?

I would rather a dedicated password that must be entered prior to deleting any backups manually.


I'm afraid that given:
All Veeam credentials are easily obtained by PowerShell via a script that support can run for you, in fact I still have a copy of the script. So there goes that "protection".


This feature wouldn't actually offer that much protection. Veeam stores the credentials, so one must assume that if someone has access to the Veeam server, then they have access to those credentials and are a few simple steps from being able to delete your backups.

The solutions that come to mind:

1) Offline backups, such as the suggested tape backups. I personally don't like this as tape is quite inconvenient and rarely do people take the time to test them like they should.
2) Rely on features of the storage system. For instance, Nimble storage arrays can take block-delta snapshots as frequently as you like, with pretty much any retention period you like. If your files are deleted, just go back to the last known good snapshot. The problem here is that any attacker determined enough to get your Veeam server can probably take the time to get at your storage system too and just delete the snapshots.
3) Not-really-offline backups. I described this in an earlier post in this thread. Basically, set up another storage system that is completely inaccessible over the network, only being accessible through a physical monitor+keyboard in the server room, that can form one-way connections to the primary storage server for the purposes of copying backups to itself from there.
cbc-tgschultz
Enthusiast
 
Posts: 48
Liked: 10 times
Joined: Fri May 13, 2016 1:48 pm
Full Name: Tanner Schultz

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby aporter » Mon Aug 07, 2017 11:02 pm

1.5) Offline backups using rotating external hard drives.
aporter
Novice
 
Posts: 8
Liked: 1 time
Joined: Fri May 18, 2012 2:44 am
Full Name: Andrew Porter

[MERGED] Read only vbk/vib files?

Veeam Logoby Jacv » Mon Aug 28, 2017 4:43 am

Can existing vbk/vib files be set as read only?

My thinking is I can add another layer of security to my offsite DR (Linux SMB share over VPN) by changing RW access from the share user to RO by giving write permissions to root only after every backup.

I know I'd have to manually control retention policy and I still have airgapped backups but thought the extra defence layer would be worth it.
Jacv
Novice
 
Posts: 7
Liked: 3 times
Joined: Tue Apr 05, 2016 12:13 am

Re: Read only vbk/vib files?

Veeam Logoby DGrinev » Mon Aug 28, 2017 2:39 pm

Hi,

In order to provide the best data protection plan you should follow the 3-2-1 Rule.
Also, you can use Veeam Cloud Connect to store your data in the cloud on a Service Provider site.
Please review this thread with best approaches of backup file protection against deletion. Thanks!
DGrinev
Veeam Software
 
Posts: 714
Liked: 79 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev

[MERGED] Securing offside backup

Veeam Logoby chrsm » Thu Jan 04, 2018 10:43 am

I am designing a new veeam solution for a customer. We design the solution to do a daily backup copy job to a repository on a remote site.
What is best practices for securing the data on the remote site to protect the data from being deleted from a hacker attack (ransomware etc.)
I can see that 9.3 U3 have a new feature to cloud connect customers, that keep the data on the cloud provider even if the data have been deleted. Do we have similar possibilities even if we are not cloud connect customer.
chrsm
Novice
 
Posts: 3
Liked: never
Joined: Thu Mar 27, 2014 1:26 pm
Full Name: Christian Schmidt-Møller

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby v.Eremin » Thu Jan 04, 2018 3:51 pm 1 person likes this post

Do we have similar possibilities even if we are not cloud connect customer.

Nope, and you wouldn't benefit from such feature, even if we had it, as everything would still be controlled with the same access identity. Which is not the case with Cloud Connect scenario, where a customer is unable to reach a location where deleted data is stored.

So, without CC in equation, the most reliable solutions turned to be tapes and removable drives (think real "offline", "air-gapped" backups).

Thanks.
v.Eremin
Veeam Software
 
Posts: 14038
Liked: 1051 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Yes, Ransomware can delete your Veeam backups.

Veeam Logoby dellock6 » Wed Jan 10, 2018 5:41 pm

One possibility however is VCC-E, that is Cloud Connect for Enterprise. It's technically the same solution as "regular" Cloud Connect, but it has specific requirements in terms of existing Enterprise License agreements to be eligible.
Otherwise, the bets option is to either deploy VCC and become yourself a service provider for your customer, or partner (as a reseller/broker...) with an existing Veeam service provider and resell their Cloud Connect.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 5203
Liked: 1401 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Previous

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Arie-Jan, KevinB66, m.levisson and 1 guest