"Possile ransomware activity" alert

Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V

"Possile ransomware activity" alert

Veeam Logoby lando_uk » Thu Dec 01, 2016 11:50 am

Hi

Just wondering if this alert has actually triggered and helped anyone in the wild yet?

I'm a little concerned that the alarm triggers are a little high, not sure a single infected client could push the server to 70%+ CPU and 40 MB/s write, but I guess these triggers are tested beforehand by Veeam labs against real outbreaks on standard file servers?

Thanks
lando_uk
Expert
 
Posts: 244
Liked: 18 times
Joined: Thu Oct 17, 2013 10:02 am
Location: UK
Full Name: Mark

Re: "Possile ransomware activity" alert

Veeam Logoby Shestakov » Thu Dec 01, 2016 12:05 pm

Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.
Shestakov
Veeam Software
 
Posts: 5027
Liked: 419 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: "Possile ransomware activity" alert

Veeam Logoby Vitaliy S. » Thu Dec 01, 2016 12:08 pm

My 2 cents: this alarm will not protect you from all possible ransomware activity, but it will tell you if a VM has an abnormal activity for CPU/disk write rate performance counters (which is worth an investigation). If you have a file server with repeated activity that triggers high resource usage, you can set this time in the exclusion list in the alarms settings.
Vitaliy S.
Veeam Software
 
Posts: 19771
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: "Possile ransomware activity" alert

Veeam Logoby lando_uk » Thu Dec 01, 2016 12:59 pm

Shestakov wrote:Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.


Was this tested against VMs that were encrypting their local vdisks, as that would cause high CPU and Disk IO, but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU. TBH, I don't think a Windows File Server VM CPU would increase much from higher incoming writes, but I'm not keen to test myself - only time will tell if this alert is useful.
lando_uk
Expert
 
Posts: 244
Liked: 18 times
Joined: Thu Oct 17, 2013 10:02 am
Location: UK
Full Name: Mark

Re: "Possile ransomware activity" alert

Veeam Logoby Shestakov » Thu Dec 01, 2016 1:34 pm

You are correct, that`s why the alarm is for VMs, not datastores.
I also agree that the alarm will be triggered not for all possible malware activities: some of them don`t encrypt the whole file, some distribute the load to keep hidden.
Shestakov
Veeam Software
 
Posts: 5027
Liked: 419 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: "Possile ransomware activity" alert

Veeam Logoby Vitaliy S. » Sat Dec 03, 2016 12:15 pm

lando_uk wrote:but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU.

That's a perfect use case, and to address this, you can add Network write rate monitoring to this alarm even now, or just create a separate alarm to track abnormal network activity of your VMs.
Vitaliy S.
Veeam Software
 
Posts: 19771
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: "Possile ransomware activity" alert

Veeam Logoby lando_uk » Mon Dec 05, 2016 3:11 pm

Had a few hits of this monitor over the last few days, all our SQL VM's so I've excluded those.
Only time will tell if this triggers when a real outbreak happens, which hopefully wont happen anytime soon....
lando_uk
Expert
 
Posts: 244
Liked: 18 times
Joined: Thu Oct 17, 2013 10:02 am
Location: UK
Full Name: Mark

Re: "Possile ransomware activity" alert

Veeam Logoby Shestakov » Mon Dec 05, 2016 3:12 pm

Thanks for the feedback, Mark!
Much appreciated.
Shestakov
Veeam Software
 
Posts: 5027
Liked: 419 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: "Possile ransomware activity" alert

Veeam Logoby lando_uk » Sat May 13, 2017 12:01 am

Just reviving this post. Whatg with all the chaos going on. Has anyone had a real infection yet, and did this alert inform them?
lando_uk
Expert
 
Posts: 244
Liked: 18 times
Joined: Thu Oct 17, 2013 10:02 am
Location: UK
Full Name: Mark


Return to Veeam ONE



Who is online

Users browsing this forum: No registered users and 4 guests