Monitoring and reporting for Veeam Data Platform
Post Reply
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

"Possile ransomware activity" alert

Post by lando_uk »

Hi

Just wondering if this alert has actually triggered and helped anyone in the wild yet?

I'm a little concerned that the alarm triggers are a little high, not sure a single infected client could push the server to 70%+ CPU and 40 MB/s write, but I guess these triggers are tested beforehand by Veeam labs against real outbreaks on standard file servers?

Thanks
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: "Possile ransomware activity" alert

Post by Shestakov »

Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: "Possile ransomware activity" alert

Post by Vitaliy S. »

My 2 cents: this alarm will not protect you from all possible ransomware activity, but it will tell you if a VM has an abnormal activity for CPU/disk write rate performance counters (which is worth an investigation). If you have a file server with repeated activity that triggers high resource usage, you can set this time in the exclusion list in the alarms settings.
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: "Possile ransomware activity" alert

Post by lando_uk »

Shestakov wrote:Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.
Was this tested against VMs that were encrypting their local vdisks, as that would cause high CPU and Disk IO, but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU. TBH, I don't think a Windows File Server VM CPU would increase much from higher incoming writes, but I'm not keen to test myself - only time will tell if this alert is useful.
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: "Possile ransomware activity" alert

Post by Shestakov »

You are correct, that`s why the alarm is for VMs, not datastores.
I also agree that the alarm will be triggered not for all possible malware activities: some of them don`t encrypt the whole file, some distribute the load to keep hidden.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: "Possile ransomware activity" alert

Post by Vitaliy S. »

lando_uk wrote:but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU.
That's a perfect use case, and to address this, you can add Network write rate monitoring to this alarm even now, or just create a separate alarm to track abnormal network activity of your VMs.
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: "Possile ransomware activity" alert

Post by lando_uk »

Had a few hits of this monitor over the last few days, all our SQL VM's so I've excluded those.
Only time will tell if this triggers when a real outbreak happens, which hopefully wont happen anytime soon....
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: "Possile ransomware activity" alert

Post by Shestakov »

Thanks for the feedback, Mark!
Much appreciated.
lando_uk
Veteran
Posts: 371
Liked: 32 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: "Possile ransomware activity" alert

Post by lando_uk »

Just reviving this post. Whatg with all the chaos going on. Has anyone had a real infection yet, and did this alert inform them?
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests