Comprehensive data protection for all workloads
mkaec
Veteran
Posts: 483
Liked: 144 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by mkaec » 1 person likes this post

SimonS wrote:...
In this case Data mover is running on linux repository, and backup files are not visible to Windows world
...
I imagine an attacker could still use the Veeam UI to delete the files.

The best non-airgapped solution I've heard of is a cloud provider that will not honor delete requests unless the files are of a certain age.
billcouper
Service Provider
Posts: 167
Liked: 40 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by billcouper » 1 person likes this post

@mkaec "Backup file deletion prevention" is a feature Veeam Cloud Connect supports :)
SimonS
Influencer
Posts: 12
Liked: 4 times
Joined: Jan 26, 2018 11:19 am
Full Name: Simon Setina
Location: Slovenia
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by SimonS » 1 person likes this post

mkaec wrote:...

I imagine an attacker could still use the Veeam UI to delete the files.
If you have access to Veeam UI you can do anything :) .

But, we are taking about Ransomware and deleting/encrypting backup files. in this case, you must prevent easy acces to this files.To do that, is the best way using devices with no directy access (CIFS/NFS/local file system), but external boxes, Linux (SSH, Data mover), ExaGrid (Data mover), DataDomain (DDbost) and HPE StorOnce (Catalyst). Linux is cheapest solution.
DataDomain have feature Retention Lock, which prevent deleting/changing files until expiration period. Retention Lock work only wtih NFS/CIFS not with DDbost.

The best way to prevent delete your backups and have it localy is still old fashioned tape libraries 8).
CloudMSP
Service Provider
Posts: 43
Liked: 11 times
Joined: Jul 16, 2017 5:39 am
Full Name: Veeam MSP
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by CloudMSP »

We have a local BDR server onsite running Windows Server, it's the B&R server, if we keep this off the domain, and have unique passwords, and AV. Will this protect it from getting crypto for the most part? Login to the BDR is only from Screen Connect and not from the customer LAN or servers.
Gostev
Chief Product Officer
Posts: 32761
Liked: 7971 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by Gostev »

CloudMSP wrote:We have a local BDR server onsite running Windows Server, it's the B&R server, if we keep this off the domain, and have unique passwords, and AV. Will this protect it from getting crypto for the most part? Login to the BDR is only from Screen Connect and not from the customer LAN or servers.
Not fully, because your backups are online. Passwords can be obtained by hackers via keyloggers, sniffers, social engineering etc. Also, what some of your co-workers may get upset and sicks ransomware there (or just deletes all backups)... you'd be surprised how often this happens.

Secure design is definitely adds a good level of protection, but only offline backups in a fireproof safe can give you 100% assurance.
Niksavoy
Influencer
Posts: 12
Liked: never
Joined: Sep 24, 2013 3:46 pm
Full Name: Nikolay Savov
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by Niksavoy »

I want to share the situation I encountered yesterday with my client.
Recently, the VBR solution was transformed with this client as a backup server on physical machine with 2012 R2 with local drives and running VBR server, Backup proxy and Repository functions, as well as several virtual Backup proxies.
Also has not yet been expanded and finished.
I was saying IT WAS because yesterday the customer found that five days ago it was completely encrypted, including backup files.
It was hit by CMB Dharma Ransomware, Cryptovirus
Unfortunately, still did not have backup-copy or replication for objective reasons.

Luckily, no other machine from the production was affected
Or to say for now ?

I use Veeam from v 7 now I understand that my approach obviously needs to change and obviously Backups, backup-copys, DR Replications, DR Backup-Copy in multiple places seems to be vulnerable to similar attacks.
As I read the previous few pages, I thought of the following solution to the problem - i want to share you opinion :

A QNAP QSync application is installed on the Windows Server Backup Repository pointing to the folder containing Backups-Copy from Veeam BR
in this way in real-time folders are synchronized with the QNAP storage where Volume-Snapshots are activated for a period of 30 days, for example
On QNAP we have enabled the Network Recycle Bin-a so deleted files are not deleted from QNAP - only admin can do so but not the Account for QSYNC

How do I imagine it?
QNAP NAS connection credentials remain hidden in the QSYNC application - it connects through HTTPS port 443 to QNAP-a (LAN or WAN for off-site )
There is no link in Veeam for this resource at all also aint in windows it self.
Even if you get encryption QNAP Volume snapshots can restore the entire Volume with a mouse keyboard and monitor to QNAP itself - if you have ecncrypted file restore -1 step .....
When deleted, the files will also remain on QNAP just for admin usage
QNAP NAS also supports RSync to other QNAP NAS - even Volume Replication - can be expanded as a configuration


Is it interesting to share your opinion on such a solution for any hidden obsticles i have missing ?

Kind Regards
Niksavoy
stlspartan
Lurker
Posts: 2
Liked: never
Joined: Jun 11, 2015 9:53 pm
Full Name: Patrick Cameron
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by stlspartan »

I know this thread is old.

We use QNAP NAS devices for near-line backup and backup copy archives at out DR location. When we learned of the risk of malware deleting backups we were reluctant to usek tape, since we had worked hard to eliminate it. Our solution was to restrict access to the backup shares to a single account used only by Veeam and, more importantly, we installed QNAP models that support snapshot volumes. The snapshot management is only through the admin account on the QNAP. We keep 7 daily snapshots on all the Veeam volumes. By doing this, should a person or malware manage to gain access to the Veeam repository shares and delete the files, they can be recovered from the snapshots. The existence of snapshots is invisible through the SMB interface used by Veeam.
Blue407
Enthusiast
Posts: 99
Liked: 13 times
Joined: Apr 12, 2016 2:14 pm
Full Name: Paul Thomas
Contact:

[MERGED] Securing backup server - Best Practice?

Post by Blue407 »

Morning All

I'm looking for advice and best practice on ways to secure our Backup server. Its Windows based and on the Domain, it has a 2nd network card which connects to additional storage on Synology NAS's. No other machines on the network have physical access to this network.
The backup server has local storage with backups on it as well as on the Synology, plus we backup to tape nightly. This server is on the network and we currently administer it via RDP, rather than using a B&R console on another PC.

Obvious concerns are things like Ransomeware etc.
wishr
Veteran
Posts: 3077
Liked: 455 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: Securing backup server - Best Practice?

Post by wishr » 1 person likes this post

Hi Paul,

I'm merging your topic to an existing discussion - please take a look and let us know if you have any additional questions.

Thanks
Blue407
Enthusiast
Posts: 99
Liked: 13 times
Joined: Apr 12, 2016 2:14 pm
Full Name: Paul Thomas
Contact:

Re: What is the best way of protecting the Veeam Backup server?

Post by Blue407 »

@Wishr
I'm not looking at recovery and backup options for the B&R server, I'm looking at hardening it and best practice to protect it.
So things like disabling internet access, removing non-required Domain accounts access etc Stuff like that.
wishr
Veteran
Posts: 3077
Liked: 455 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: Yes, Ransomware can delete your Veeam backups.

Post by wishr » 1 person likes this post

Hi Paul,

I apologize, corrected it.

Here is an official whitepaper with additional materials at the bottom of it.

I'd suggest looking at those also: 1, 2, 3, 4.

Thanks
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Semrush [Bot] and 3 guests