Host-based backup of VMware vSphere VMs.
Post Reply
esa.riikonen
Lurker
Posts: 2
Liked: never
Joined: Apr 24, 2024 12:13 pm
Full Name: Esa Riikonen
Contact:

Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked

Post by esa.riikonen »

Hi,
I have worked with environment were hackers encrypted customers servers with Windows build-in bitlocker and hide key
VM Backups taken as VmWare level: So all backup data also encrypted.

Looks this is quite rising hacking method :(

I just tested how Veeam 12.1.1 detect about Bitlocker encrypted VM:
1. Full backup and several increment took from test vm.
-> last increment shows about 800MB read
2. Enable Bitlocker and wait full disk encrypted
3. New incremental backup
-> Veeam shows now full 90GB boot disk read

No any warning about disk changed to encrypted volue/Disk
Also next mail about Malware Detection report shows 0
Veeam ENT+ used

I opened a support case and got an answer:

BitLocker is a legitimate encryption tool developed by Microsoft to protect data stored on Windows computers. It's intended to enhance security by encrypting entire disk volumes, preventing unauthorized access to data in case the device falls into the wrong hands. It's a proactive security measure rather than a malicious attack like ransomware. Thus, it's expected that Veeam does not identify it as ransomware.


From customer side, they sees disks as unawailable enrypted disks, no matter how they are encrypted !!!!
Gostev
Chief Product Officer
Posts: 31749
Liked: 7252 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1.1 do not detect Bitlocked disk as encrypted

Post by Gostev »

Hi, this is currently by design.

Our inline encryption detection feature is specifically designed to detect malicious encryption by malware. The proprietary ML model this feature uses is specifically trained on different types of malware-produced encryption.

Further, many of of our customers use Bitlocker encryption heavily on production machines. At Veeam, Bitlocker is the requirement for ALL machines. Flagging Bitlocker encryption in VBR would mean flagging every backup of every machine every time.

Thanks
esa.riikonen
Lurker
Posts: 2
Liked: never
Joined: Apr 24, 2024 12:13 pm
Full Name: Esa Riikonen
Contact:

Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked

Post by esa.riikonen »

1. Using bitlocker is not very common.
-> It do not protect agaist ramsonware
-> It makes unable to restore individual files most cases
-> It makes Backup data much bigger
2. Bitlocker is very efficience tool for todays hackers espesially if ramsonware detecting software (Veeam) do not detect this as data mess attackt
-> there are several ways to enable bitlocker Powershell, AD-group policy etc, no need get special software injected to server environment.
-> hackers can enable bitloker and actually lock the filesystem after several moth to verify all backupdata is also encrypted.

Veeam bring new feature to compare changes about backdata to detect possible encryption attack
If someone (known or unknown) enabled Bitlocker on server, would it be at least nice to get a note: "looks new backup data have all changed compared previous backup. Is this expected ?"

It is not a big deal to create a buttom: "detect all kind enclryption chages": enable/disable

If you google about "hacker uses windows bitlocker" you will get several examples....
Repeating myself: Personally I have see environment destroyed with MS Bitlocker, ½ year backups also......
Gostev
Chief Product Officer
Posts: 31749
Liked: 7252 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked

Post by Gostev »

Thank you for your feedback.
mikeely
Expert
Posts: 231
Liked: 71 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked

Post by mikeely »

Perhaps a simpler suggestion: similar to "VM abc.def is no longer in this backup" you could perhaps add a similar message for a similar period of time saying "VM ghi.jkl has enabled Bitlocker encryption"
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
SnakeSK
Service Provider
Posts: 90
Liked: 23 times
Joined: Feb 09, 2019 5:06 pm
Contact:

Re: Veeam 12.1.1 do not detect hacker encrypt volumes with Bitlocked

Post by SnakeSK »

Veeam definetly is able to detect FVE maps in system volume information, this should really generate a warning and error in VOne, as it could be used maliciously
Post Reply

Who is online

Users browsing this forum: m.costantino and 124 guests