Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V
Post Reply
lando_uk
Expert
Posts: 277
Liked: 20 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

"Possile ransomware activity" alert

Post by lando_uk » Dec 01, 2016 11:50 am

Hi

Just wondering if this alert has actually triggered and helped anyone in the wild yet?

I'm a little concerned that the alarm triggers are a little high, not sure a single infected client could push the server to 70%+ CPU and 40 MB/s write, but I guess these triggers are tested beforehand by Veeam labs against real outbreaks on standard file servers?

Thanks

Shestakov
Veeam Software
Posts: 5924
Liked: 514 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: "Possile ransomware activity" alert

Post by Shestakov » Dec 01, 2016 12:05 pm

Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.

Vitaliy S.
Veeam Software
Posts: 21398
Liked: 1273 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: "Possile ransomware activity" alert

Post by Vitaliy S. » Dec 01, 2016 12:08 pm

My 2 cents: this alarm will not protect you from all possible ransomware activity, but it will tell you if a VM has an abnormal activity for CPU/disk write rate performance counters (which is worth an investigation). If you have a file server with repeated activity that triggers high resource usage, you can set this time in the exclusion list in the alarms settings.

lando_uk
Expert
Posts: 277
Liked: 20 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: "Possile ransomware activity" alert

Post by lando_uk » Dec 01, 2016 12:59 pm

Shestakov wrote:Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.
Was this tested against VMs that were encrypting their local vdisks, as that would cause high CPU and Disk IO, but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU. TBH, I don't think a Windows File Server VM CPU would increase much from higher incoming writes, but I'm not keen to test myself - only time will tell if this alert is useful.

Shestakov
Veeam Software
Posts: 5924
Liked: 514 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: "Possile ransomware activity" alert

Post by Shestakov » Dec 01, 2016 1:34 pm

You are correct, that`s why the alarm is for VMs, not datastores.
I also agree that the alarm will be triggered not for all possible malware activities: some of them don`t encrypt the whole file, some distribute the load to keep hidden.

Vitaliy S.
Veeam Software
Posts: 21398
Liked: 1273 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: "Possile ransomware activity" alert

Post by Vitaliy S. » Dec 03, 2016 12:15 pm

lando_uk wrote:but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU.
That's a perfect use case, and to address this, you can add Network write rate monitoring to this alarm even now, or just create a separate alarm to track abnormal network activity of your VMs.

lando_uk
Expert
Posts: 277
Liked: 20 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: "Possile ransomware activity" alert

Post by lando_uk » Dec 05, 2016 3:11 pm

Had a few hits of this monitor over the last few days, all our SQL VM's so I've excluded those.
Only time will tell if this triggers when a real outbreak happens, which hopefully wont happen anytime soon....

Shestakov
Veeam Software
Posts: 5924
Liked: 514 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: "Possile ransomware activity" alert

Post by Shestakov » Dec 05, 2016 3:12 pm

Thanks for the feedback, Mark!
Much appreciated.

lando_uk
Expert
Posts: 277
Liked: 20 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: "Possile ransomware activity" alert

Post by lando_uk » May 13, 2017 12:01 am

Just reviving this post. Whatg with all the chaos going on. Has anyone had a real infection yet, and did this alert inform them?

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests