The prevalence of cyber threats and ransomware is create a lot of fear, uncertainty, doubt and lies. Possibly the biggest area of misunderstanding is how ransomware interacts with systems and infrastructure.
You are probably reading about new threats like Money Message, Maze, or many others and you want to be prepared. The first victim when you are dealing with cyber resilience is often the truth.
What Do We Know?
We’ve seen a lot of incorrect information circulating around payload behavior of these threats. This behavior includes disabling critical services on a system such as anti-virus platforms and database platforms. Additional behavior includes terminating common applications such as text editors and collaboration applications. Myth debunked: Any ransomware payload is in the business of interrupting normal infrastructure behavior.
What Is the Problem?
Most ransomware payloads are deployed through one or more (usually a combination) common entry points such as phish email, exploiting a vulnerability, taking advantage of remote access among the top offenders. If you are not familiar with the MITRE ATT&CK framework, this outlines some of the behaviors once a threat actor is underway. This ransomware payload on a network will then look to impact the infrastructure. Myth debunked: The problem is that a threat actor has access to a network with privileges and is deploying a payload.
What About My Veeam Infrastructure?
Veeam is very flexible in its deployment, but the takeaway is ensuring your infrastructure is implemented well. Here are some great starting points:
- Veeam Best Practices Guide: Secure – Veeam Backup & Replication Best Practice Guide
- Ensure you have immutable backup copies: Immutable Backup Solutions: Linux Hardened Repository (veeam.com)
- If you are using the Veeam Hardened Repository (VHR) see these great resources: Securing Veeam Hardened Repository against remote time attacks and Installing Ubuntu Linux for Veeam Hardened Repository
- Using object storage? Make sure it is Veeam Ready – Object Immutability qualified.
Myth debunked: Veeam has a self-describing portable data format. Even if all other protections fail, an immutable, offline or air-gapped copy of data can drive recovery with no prior knowledge of the source infrastructure. Additionally, Veeam can easily recover to a new infrastructure such as the public cloud.
What Does Veeam Do To Detect Ransomware?
Short answer, a lot. See the following resources:
Veeam ONE: Configure, Notify, Action: Veeam ONE’s ransomware detection | Veeam Community Resource Hub
SureBackup Scans: How to Scan Backups for Ransomware – Veeam
Veeam Recovery Orchestrator Ransomware Scans: How Orchestrator Performs Ransomware Scan – Veeam Disaster Recovery Orchestrator User Guide
Fancy automation? You can use the Data Integration API and Publish PowerShell Cmdlet, which can allow scanning with your anti-virus platform of choice upon the backup data under management by Veeam.
And there is always Secure Restore: How to improve security with Veeam DataLabs Secure Restore.
Additionally, there are a number of projects underway to further bring more Veeam capabilities to market. In the meantime, you can view the recent Ransomware Recovery Summit and attend VeeamON for a solid block of ransomware content (including content online now for on-demand virtual attendees). Myth debunked: Veeam provides freedom of choice in what is used for detection in conjunction with an organization’s standard cybersecurity practices while at the same time providing the ability to leverage the backup data for detection.
What Can I Do About This?
Our advice is to follow the advice we bring to market. Talk to your Veeam rep, talk to your partner and take steps to ensure you’ve implemented well and are ready to drive data recovery. We have had the capabilities in the market for a number of years to keep data safe from ransomware, and we took it to the next level with V12. So much so, we now have the Veeam Ransomware Recovery Warranty. The advice we are bringing to market works. I speak with the Veeam Critical Incident support team (where ransomware cases go) often; and the advice they give me, I relay right back out to the market. If you haven’t upgraded to V12, check out the V12 Upgrade Center where you can get started today.
I’ll Say It Again: The Truth Matters
There are a number of ransomware threats out there, and the reality is that the data indicates that a cybersecurity incident is much more likely to occur than ‘traditional’ disasters such as fire, flood and blood. Veeam is in the business of keeping your business running. The Veeam Data Platform is in place to give you Data Security, Data Recovery and Data Freedom when you need it most.
For more on Veeam and Ransomware – join our Ransomware Summit.