Every conversation I have with customers and partners nowadays involves sharing the latest information from Veeam on how to combat ransomware with a comprehensive approach. The data indicates that it is not a question of if but when an organization will have to deal with a ransomware incident. The reality is that ransomware is the cybersecurity incident we’ll have to deal with more likely than fire, flood or blood types of disasters.
Well, this answer changes over time. There have been examples that simply encrypt small or targeted datasets and some that have widespread exfiltration and lateral movement across an organization. I am often debrief of ransomware situations from the Veeam technical support team that guides organizations through ransomware incidents, and it is consistent to see how some of the threats move through an organization. The MITRE ATT&CK framework is a clear go-to in these areas if you haven’t seen it.
Prevention, Protection and Defense
I am a big believer of the NIST Cybersecurity Framework that focuses on five key functions: Identify, Protect, Detect, Respond and Recover. Veeam has capabilities mapped to each of these functions; and will continue to grow in this space. From a prevention, protection and defense standpoint, it is important to understand the difference and options available for how an organization can approach comprehensive protection.
It is a tall ask to seek broad prevention of ransomware, but I’d challenge with the right investments in proven effective techniques across the board your odds go up exponentially. A quick list of key prevention, protection and defense techniques include:
- User training: Everyone in an organization is part of the cybersecurity team, from the CEO to the coordinator; everyone needs cybersecurity training. IT included.
- Response planning in place: Having a plan on how to respond to ransomware is a great first start, this is a non-technical milestone. Being able to answer important questions such as: Who is in charge? Who do we notify? How do we work with external stakeholders? Are all important parts of a response plan.
- Follow the 3-2-1-1-0 rule: Three different copies of data, two different media, one of which is off-site. That’s where the rule starts, have comprehensive ransomware protection with at least one copy being immutable and zero surprises with recovery verification. The 3-2-1-1-0 rule is the way.
- Backup what needs to be recovered: This sounds cheeky, but it is relevant; you can’t recover what you don’t protect.
- Immutability everywhere: It is easier than ever to have immutable copies of backup data; there is no excuse not to have two or more copies of immutable backup data. There are now 36 qualified immutable solutions with Veeam.
- Confidence in recovery: Veeam has had SureBackup in the market for over 10 years, it’s definitely time to have automated recovery verification. This is critical to drive confident response to a ransomware incident. The Veeam Ransomware Trends 2023 report itself indicates that the most common element of a response playbook is a good backup:
I’ve been following a number of different resources to identify how ransomware behaves. Some of my favorite resources to learn about different behaviors and individual ransomware makers include the Veeam Ransomware Trends Report, the PC Security Channel on YouTube and this glossary of Common Ransomware Types.
From all of these resources, it is clear that different ransomware makers behave differently with a consistent set of impact on an organization. I take all of these behaviors: deletion, encryption, exfiltration and more as a serious wake-up call to ensure that organizations have complete control of their data.
Do I Need a Ransomware Risk Assessment
This is a fair question to ask, but many organizations may simply not be comfortable with the realities of the threatscape today. This is why we at Veeam have made a very easy to use ransomware risk assessment. This tool can give you a view of your data based on what we see at the highest level of trends, and a good starting point for your journey to comprehensive ransomware protection. I’ll be the first to admit, it gets specific quickly and sometimes it is better suited as a private conversation; but this assessment is a great place to start.
The single best practice that matters is to ensure you can recover your data from a ransomware attack. However, there are many that are part of a comprehensive ransomware protection strategy. Like the assessment recommendation, ransomware protection can get specific quickly based on what is being protected and where it is being stored. At a minimum, a comprehensive strategy for ransomware protection would include (but not be limited to):
- Immutability: From Veeam-ready object with immutability, tape, the Veeam Hardened Repository and more; there are more options than ever.
- Encrypting your backups: Veeam-based encryption to protect against Veeam backups leaving unintentionally.
- Verify backup recoverability: If ransomware gets in, the only option is to recover data. Be sure you are ready to go.
- Harden and limit access to your backup infrastructure: In a ransomware incident, this will be your most precious IT asset. Protect it and limit access as such.
Proactively monitor and update systems: Veeam ONE is great here, having Veeam ONE monitor your backup infrastructure as well as your production infrastructure will give you the visibility you need. And be sure to update your infrastructure, all of it.
- Have a recovery plan: Whether it is a daily-verified Veeam Recovery Orchestrator plan or a familiar and tested plan from your IT staff; this is a common missed opportunity for a lot of organizations during a ransomware incident. Have a plan.
What Tools Are Needed for Ransomware Protection?
The easy place to start is Veeam ONE. I guarantee you that Veeam ONE will tell you something about your environment that you didn’t know about, yet you should address. If you are just implementing Veeam ONE for the first time, do so in a model of least privilege. Do not use accounts for Veeam ONE that are in use elsewhere. Veeam ONE’s ability to monitor and report on possible ransomware activity and potential tampering with the Veeam Backup & Replication infrastructure are critical. Be sure to configure the immutability state and immutability change tracking alarms to be sent directly to security teams for example. Also make sure you are automating reports on any changes in the backup infrastructure in Veeam ONE.
I also recommend not having the Veeam infrastructure connected to the Internet and use explicit usernames and password for specific services and connections. I realize if you have already implemented Veeam, this may be a mountain of work. So, start small, make sure your backup repositories are using explicit credentials separate from credentials used elsewhere in an environment.
One technology I have been working on with Product Management recently is the Veeam Hardened Repository. We have made an attractive option for individuals who don’t have a lot of Linux skill and want it truly hardened. The new installable .ISO will configure the Linux environment for use as a Veeam Hardened Repository and automatically apply DISA STIG hardening that will make a very resilient backup repository. The Veeam Hardened Repository makes it easier than ever to have immutable backups on Linux:
What To Do During a Ransomware Attack?
The number one thing to do is keep calm. When I debrief from organizations in ransomware incidents, there is common behavior to isolate the infected systems and engage cybersecurity response teams. There are a number of courses of action, and the one thing all backup vendors agree on is to restore data. If ransomware gets in, the only option is to recover data. But also reach out to the right resources for expert advice. The Veeam critical incidents support team guides customers through successful ransomware recoveries every day with a highly trained group of experts who specialize in ransomware recovery.
Best Practices and a Comprehensive Strategy for Ransomware Protection Are Right Here at Veeam
Talk to us here at Veeam. We’re a leading provider of backup solutions worldwide. This is validated by the IDC tracker, the recent Gartner Magic Quadrant for Enterprise backup having Veeam again as a leader. Veeam also prepares the Ransomware Trends Report, one of the largest pieces of industry research of its kind. Coupled with solid product delivery over the years, a strong product roadmap and technical support to provide the ransomware recovery needed. Veeam is your place for comprehensive ransomware protection. If you want more, reach out to your Veeam rep or a reseller partner to take the next steps to comprehensive ransomware protection.