#1 Global Leader in Data Resilience

How to Investigate 'Encrypted Data Event' from Malware Detection

KB ID: 4632
Product: Veeam Backup & Replication | 12.1 | 12.2
Published: 2024-07-01
Last Modified: 2024-09-13
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Version Requirement
This tool only works for malware inline detection events created by Veeam Backup & Replication 12.1.2 and newer. Previous versions of Veeam Backup & Replication are not supported.
Protected Workload Guest OS Requirement
This tool only supports investigating Windows-based workloads.

Purpose

This article documents how to investigate which files are encrypted within a machine when the Malware Detection system flags a machine as having Encrypted data.
Example

Solution

Identify Malware Detection Event ID

The Find Encrypted Data script requires the user to provide the Malware Detection Event ID to investigate.

The following PowerShell script can be used to output a list of recent Malware Events:

# Replace with the object name as shown in Name column of the VBR UI.
$objectName = "objectName"

#Outputs a list of malware events where encrypted data was detected for specified machine.
Get-VBRMalwareDetectionEvent | Where-Object { $_.ObjectName -eq $objectName -and $_.EncryptedDataInfo.AnalyzerResult -ne 0 } | Sort-Object -Property DetectionTime -Descending | Format-List Id, ObjectName, DetectionTime, Status, Message
GetID

Run the Find Encrypted Data PowerShell Script

With the Event ID to be investigated now identified, pass that guid to the find-encrypted-data.ps1 script:

.\find-encrypted-data.ps1 <event-id-guid>
Run Tool
How It Works
  • The script compares the ransomware index (ridx) file of the restore point associated with the malware event ID provided and the ridx from the prior restore point to determine which disk offsets should be investigated.
  • The script then mounts the restore point for investigation and checks the files associated with the offsets identified in Step 1.
  • Each file associated with the suspect offset is checked to determine how much encryption is present in the file's first megabyte (default).
  • The file path, its offset, and the percentage of encryption in the first 1MB are then output to the results CSV.
Considerations and Limitations
  • The results files are named after the GUID of the machine's disk being investigated. If the script is run multiple times for the same machine, the results of a previous script run will be overwritten. If you are investigating multiple malware events across different restore points, copy the results CSV file from earlier runs to a different location for later review.
  • A file being present in the results CSV does not mean it was maliciously encrypted; it is merely that the file existed at an offset where encryption was detected. Environments that use file encryption often may receive false positive alerts and should adjust the Encryption Detection sensitivity as needed.
  • The final column of the CSV report displays the percentage of encryption detected in the first 1MB of the file. As most ransomware encrypts only a portion of each file, the encryption detection tool only checks the first 1MB of the file to maximize investigation performance.
    If a file is listed in the report with 0% in the final column, there are two possible reasons:
    This tool cannot differentiate between these two possibilities as it only reviews the first megabyte of the file.
    • Part of the file is located in blocks with encryption, but the file itself is not encrypted.

      or
    • The file is encrypted, just but not in the 1st MB.

Review Results CSV File

The find-encrypted-data.ps1 script will create a subfolder named "output" and write the results CSV file into that folder.

Example: {b20c3fe9-927c-4aca-b4f4-d93b1ecdab9b}_Volume0_result.csv

Open the CSV file in a spreadsheet editor or plain text editor and review the results.

As this tool only checks for encryption within the first MB of a file, false positives may occur, and a manual review by an administrator is necessary to determine whether a file has been impacted by malware/ransomware.

Results Example

Download Information

Download Script

Filename: Investigation Tool Files.zip
Updated: 2024-06-28

MD5: 62F7F9F874189A1D5B48F8399F4CD6AE
SHA1: FC1D2CFDC1982DBADF3F2924656C0B95604E3BA4

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.