-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 24, 2024 12:13 pm
- Full Name: Esa Riikonen
- Contact:
Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked
Hi,
I have worked with environment were hackers encrypted customers servers with Windows build-in bitlocker and hide key
VM Backups taken as VmWare level: So all backup data also encrypted.
Looks this is quite rising hacking method
I just tested how Veeam 12.1.1 detect about Bitlocker encrypted VM:
1. Full backup and several increment took from test vm.
-> last increment shows about 800MB read
2. Enable Bitlocker and wait full disk encrypted
3. New incremental backup
-> Veeam shows now full 90GB boot disk read
No any warning about disk changed to encrypted volue/Disk
Also next mail about Malware Detection report shows 0
Veeam ENT+ used
I opened a support case and got an answer:
BitLocker is a legitimate encryption tool developed by Microsoft to protect data stored on Windows computers. It's intended to enhance security by encrypting entire disk volumes, preventing unauthorized access to data in case the device falls into the wrong hands. It's a proactive security measure rather than a malicious attack like ransomware. Thus, it's expected that Veeam does not identify it as ransomware.
From customer side, they sees disks as unawailable enrypted disks, no matter how they are encrypted !!!!
I have worked with environment were hackers encrypted customers servers with Windows build-in bitlocker and hide key
VM Backups taken as VmWare level: So all backup data also encrypted.
Looks this is quite rising hacking method
I just tested how Veeam 12.1.1 detect about Bitlocker encrypted VM:
1. Full backup and several increment took from test vm.
-> last increment shows about 800MB read
2. Enable Bitlocker and wait full disk encrypted
3. New incremental backup
-> Veeam shows now full 90GB boot disk read
No any warning about disk changed to encrypted volue/Disk
Also next mail about Malware Detection report shows 0
Veeam ENT+ used
I opened a support case and got an answer:
BitLocker is a legitimate encryption tool developed by Microsoft to protect data stored on Windows computers. It's intended to enhance security by encrypting entire disk volumes, preventing unauthorized access to data in case the device falls into the wrong hands. It's a proactive security measure rather than a malicious attack like ransomware. Thus, it's expected that Veeam does not identify it as ransomware.
From customer side, they sees disks as unawailable enrypted disks, no matter how they are encrypted !!!!
-
- Chief Product Officer
- Posts: 31749
- Liked: 7252 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1.1 do not detect Bitlocked disk as encrypted
Hi, this is currently by design.
Our inline encryption detection feature is specifically designed to detect malicious encryption by malware. The proprietary ML model this feature uses is specifically trained on different types of malware-produced encryption.
Further, many of of our customers use Bitlocker encryption heavily on production machines. At Veeam, Bitlocker is the requirement for ALL machines. Flagging Bitlocker encryption in VBR would mean flagging every backup of every machine every time.
Thanks
Our inline encryption detection feature is specifically designed to detect malicious encryption by malware. The proprietary ML model this feature uses is specifically trained on different types of malware-produced encryption.
Further, many of of our customers use Bitlocker encryption heavily on production machines. At Veeam, Bitlocker is the requirement for ALL machines. Flagging Bitlocker encryption in VBR would mean flagging every backup of every machine every time.
Thanks
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 24, 2024 12:13 pm
- Full Name: Esa Riikonen
- Contact:
Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked
1. Using bitlocker is not very common.
-> It do not protect agaist ramsonware
-> It makes unable to restore individual files most cases
-> It makes Backup data much bigger
2. Bitlocker is very efficience tool for todays hackers espesially if ramsonware detecting software (Veeam) do not detect this as data mess attackt
-> there are several ways to enable bitlocker Powershell, AD-group policy etc, no need get special software injected to server environment.
-> hackers can enable bitloker and actually lock the filesystem after several moth to verify all backupdata is also encrypted.
Veeam bring new feature to compare changes about backdata to detect possible encryption attack
If someone (known or unknown) enabled Bitlocker on server, would it be at least nice to get a note: "looks new backup data have all changed compared previous backup. Is this expected ?"
It is not a big deal to create a buttom: "detect all kind enclryption chages": enable/disable
If you google about "hacker uses windows bitlocker" you will get several examples....
Repeating myself: Personally I have see environment destroyed with MS Bitlocker, ½ year backups also......
-> It do not protect agaist ramsonware
-> It makes unable to restore individual files most cases
-> It makes Backup data much bigger
2. Bitlocker is very efficience tool for todays hackers espesially if ramsonware detecting software (Veeam) do not detect this as data mess attackt
-> there are several ways to enable bitlocker Powershell, AD-group policy etc, no need get special software injected to server environment.
-> hackers can enable bitloker and actually lock the filesystem after several moth to verify all backupdata is also encrypted.
Veeam bring new feature to compare changes about backdata to detect possible encryption attack
If someone (known or unknown) enabled Bitlocker on server, would it be at least nice to get a note: "looks new backup data have all changed compared previous backup. Is this expected ?"
It is not a big deal to create a buttom: "detect all kind enclryption chages": enable/disable
If you google about "hacker uses windows bitlocker" you will get several examples....
Repeating myself: Personally I have see environment destroyed with MS Bitlocker, ½ year backups also......
-
- Chief Product Officer
- Posts: 31749
- Liked: 7252 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked
Thank you for your feedback.
-
- Expert
- Posts: 231
- Liked: 71 times
- Joined: Nov 07, 2016 7:39 pm
- Full Name: Mike Ely
- Contact:
Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked
Perhaps a simpler suggestion: similar to "VM abc.def is no longer in this backup" you could perhaps add a similar message for a similar period of time saying "VM ghi.jkl has enabled Bitlocker encryption"
'If you truly love Veeam, then you should not let us do this ' --Gostev, in a particularly Blazing Saddles moment
-
- Service Provider
- Posts: 90
- Liked: 23 times
- Joined: Feb 09, 2019 5:06 pm
- Contact:
Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked
Veeam definetly is able to detect FVE maps in system volume information, this should really generate a warning and error in VOne, as it could be used maliciously
Who is online
Users browsing this forum: m.costantino and 124 guests