- 
				dburris
- Novice
- Posts: 6
- Liked: never
- Joined: Jun 03, 2009 4:24 pm
- Full Name: Dave Burris
- Contact:
Re: New ransomware that targets backups. Are we susceptible
What someone gains admin access to the Veeam B&R server, deletes the backups, and then encrypts files.  I understand we could use external USB drives or tapes to keep the data safe.  But what if we are relying on Veeam Cloud Connect for off-site backups.  I see there is an option there too to "Delete from disk".  Is there a way to keep the Veeam Cloud archives safe from in this scenario? 
Thanks,
Dave
			
			
									
						
										
						Thanks,
Dave
- 
				Gostev
- Chief Product Officer
- Posts: 32751
- Liked: 7966 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Your service provider certainly can arrange that. One way that immediately comes to my mind is to setup periodic storage-based snapshots on backup repository.
			
			
									
						
										
						- 
				thjones
- Lurker
- Posts: 1
- Liked: never
- Joined: Dec 24, 2016 3:39 pm
- Full Name: Kenneth
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Is it enough to use windows defender as antimalware scanner on each computer? In addition, I can conduct strong password policy, update all antimalware and net protecting software, plus keep primary security rules https://www.bestvpnrating.com/blog/9-ti ... rd-snowden I mean if I maintains security system in decent order, will this new malware penetrate in the system or pass round?
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32751
- Liked: 7966 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Of course it would, because Windows Defender only carries signatures to known malware. If you're "lucky" to get a newly released one, it won't protect you.
			
			
									
						
										
						- 
				lukejf
- Enthusiast
- Posts: 66
- Liked: 5 times
- Joined: Jul 10, 2012 8:15 am
- Full Name: Luke
- Contact:
Re: New ransomware that targets backups. Are we susceptible
hey guys
I see some of you are using non domain joined veeam servers. How do you go doing restores directly back to the servers. IE AD users, Mailbox objects. We found in version 8 it failed to complete file restores correctly unless it was on the domain.
We always use tape however would like some tips on securing the backup repository
			
			
									
						
										
						I see some of you are using non domain joined veeam servers. How do you go doing restores directly back to the servers. IE AD users, Mailbox objects. We found in version 8 it failed to complete file restores correctly unless it was on the domain.
We always use tape however would like some tips on securing the backup repository
- 
				Mike Resseler
- Product Manager
- Posts: 8285
- Liked: 1361 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Hi Luke,
Can't remember well how it was in v8, but today this should not be a problem. For example, see here https://helpcenter.veeam.com/docs/backu ... tml?ver=95 to recover AD objects where you can specify a particular username / pwd to connect to your AD for restore. Do note however that your networking must allow this so look at the requirements for ports also.
On the backup repository. I tend to use a specific account to connect to the backup repository. An account that isn't used for something else. Ransomware tends to run in a user context (the user that it used to start its bad things) so if that account is not used, it won't succeed in encrypting your backup files. Please don't forget to store that account / pwd somewhere in a safe (preferred outside the company premises) so that in worse case you have access to the files
			
			
									
						
										
						Can't remember well how it was in v8, but today this should not be a problem. For example, see here https://helpcenter.veeam.com/docs/backu ... tml?ver=95 to recover AD objects where you can specify a particular username / pwd to connect to your AD for restore. Do note however that your networking must allow this so look at the requirements for ports also.
On the backup repository. I tend to use a specific account to connect to the backup repository. An account that isn't used for something else. Ransomware tends to run in a user context (the user that it used to start its bad things) so if that account is not used, it won't succeed in encrypting your backup files. Please don't forget to store that account / pwd somewhere in a safe (preferred outside the company premises) so that in worse case you have access to the files

- 
				lando_uk
- Veteran
- Posts: 385
- Liked: 43 times
- Joined: Oct 17, 2013 10:02 am
- Full Name: Mark
- Location: UK
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Any know cases of this latest Ransom-WannaCry infecting backups, from the AV vender info, the VBK extension isn't listed, so hopefully its ok.
			
			
									
						
										
						- 
				Mike Resseler
- Product Manager
- Posts: 8285
- Liked: 1361 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Hi Mark,
From what I can find, VBK are indeed not affected by this one. But never say never as these tend to change very fast . Don't forget that MSFT has patched the security hole with the March update so make sure your machines are patched!
. Don't forget that MSFT has patched the security hole with the March update so make sure your machines are patched!
			
			
									
						
										
						From what I can find, VBK are indeed not affected by this one. But never say never as these tend to change very fast
 . Don't forget that MSFT has patched the security hole with the March update so make sure your machines are patched!
. Don't forget that MSFT has patched the security hole with the March update so make sure your machines are patched!- 
				unsichtbarre
- Service Provider
- Posts: 236
- Liked: 40 times
- Joined: Mar 08, 2010 4:05 pm
- Full Name: John Borhek
- Contact:
Re: New ransomware that targets backups. Are we susceptible
We moved Veeam to a backup-only domain (no-email, no web-browsing, etc.) to gain the benefits of AD, while limiting exposure to Ransomeware.
			
			
									
						
							John Borhek, Solutions Architect
https://vmsources.com
			
						https://vmsources.com
- 
				frankive
- Service Provider
- Posts: 1092
- Liked: 134 times
- Joined: May 14, 2013 8:35 pm
- Full Name: Frank Iversen
- Location: Norway
- Contact:
Re: New ransomware that targets backups. Are we susceptible
does anyone have a nice powershells script we  can run to target client and servers to see if the computer is protected from this attack?
for me it seems like the ms17-010 website refers to very many different KBs and also that some KBs replace other etc.
Would be great to have a powershelgl script we could execute on all servers and clients to verify it this gap is closed.
			
			
									
						
										
						for me it seems like the ms17-010 website refers to very many different KBs and also that some KBs replace other etc.
Would be great to have a powershelgl script we could execute on all servers and clients to verify it this gap is closed.
- 
				albertwt
- Veteran
- Posts: 965
- Liked: 55 times
- Joined: Nov 05, 2009 12:24 pm
- Location: Sydney, NSW
- Contact:
Re: New ransomware that targets backups. Are we susceptible
Hi Frankie,
Check this script below:
Hope that helps you.
			
			
									
						
							Check this script below:
Code: Select all
https://gallery.technet.microsoft.com/scriptcenter/Script-for-check-Specific-46caba5dCode: Select all
https://gallery.technet.microsoft.com/scriptcenter/Powershell-Query-a-patch-67cf35f8--
/* Veeam software enthusiast user & supporter ! */
			
						/* Veeam software enthusiast user & supporter ! */
Who is online
Users browsing this forum: Baidu [Spider], emil.davis, Google [Bot] and 50 guests