"Possile ransomware activity" alert

[lando_uk]

Hi

Just wondering if this alert has actually triggered and helped anyone in the wild yet?

I'm a little concerned that the alarm triggers are a little high, not sure a single infected client could push the server to 70%+ CPU and 40 MB/s write, but I guess these triggers are tested beforehand by Veeam labs against real outbreaks on standard file servers?

Thanks

[Shestakov]

Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.

[Vitaliy S.]

My 2 cents: this alarm will not protect you from all possible ransomware activity, but it will tell you if a VM has an abnormal activity for CPU/disk write rate performance counters (which is worth an investigation). If you have a file server with repeated activity that triggers high resource usage, you can set this time in the exclusion list in the alarms settings.

[lando_uk]

Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.

Was this tested against VMs that were encrypting their local vdisks, as that would cause high CPU and Disk IO, but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU. TBH, I don't think a Windows File Server VM CPU would increase much from higher incoming writes, but I'm not keen to test myself - only time will tell if this alert is useful.

[Shestakov]

You are correct, that`s why the alarm is for VMs, not datastores.
I also agree that the alarm will be triggered not for all possible malware activities: some of them don`t encrypt the whole file, some distribute the load to keep hidden.

[Vitaliy S.]

but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU.

That's a perfect use case, and to address this, you can add Network write rate monitoring to this alarm even now, or just create a separate alarm to track abnormal network activity of your VMs.

[lando_uk]

Had a few hits of this monitor over the last few days, all our SQL VM's so I've excluded those.
Only time will tell if this triggers when a real outbreak happens, which hopefully wont happen anytime soon....

[Shestakov]

Thanks for the feedback, Mark!
Much appreciated.

[lando_uk]

Just reviving this post. Whatg with all the chaos going on. Has anyone had a real infection yet, and did this alert inform them?