Ransomware attacks are on the rise – in 2021, the number of ransomware attacks rose by 92.7% compared to 2020 levels, with 2,690 attacks reported. In this short article, we’ll show you how Kasten K10 by Veeam can be leveraged to detect a common ransomware pattern in order to prevent data loss or corruption.
Follow along and get a visual by watching this demo video.
In the upper right of the screenshot is the Kasten K10 UI. Underneath is the terminal and on the left is the Falco dashboard. Falco is a helpful sidekick utility that’s used to display a real-time livestream of events that we want to detect:
Say a bad actor phished an admin and now has unrestricted access to Kasten K10. The attacker will first look to see what applications they have access to. You can see that they now have access to application namespaces:
In this scenario, the nginx server provides a frontend GUI, and the attacker wants to disrupt it because it serves revenue-generating activity. With unrestricted access, the attacker may look to see what restore points are available:
Once the attacker starts to discover data, the events pop up in near real time:
This detection policy has been written to be aggressive in detecting when an attacker could be performing discovery to determine the level of protection for the application:
The next step an attacker would want to take is to destroy the backups in preparation for a ransomware attack. They could attempt this action either via the Kasten K10 web interface or, as shown below, using the Kubernetes API:
In the Falco UI, we can see that these events have been detected:
In order to prevent this deletion, backup exports should be stored on immutable storage. Immutability is supported by Kasten K10 in both S3 and Veeam Hardened Repository locations. If immutability were enabled in this scenario, the failed attempts to delete K10 RestorePoints would be a strong early indicator of compromise.
We hope you’ve enjoyed this quick look at how Kasten K10 helps to detect and analyze ransomware attacks in real time. Learn more about using Kasten K10 for ransomware protection, or start your free trial today.