Ransomware Protection

Ransomware is maliciously created malware that finds and encrypts an organization’s files and storage. Through entry points like phishing emails, users can unintentionally allow this attack into the organization. Cybercriminals use this malware to extort money from the organization. With many ransomware attacks also seeking out all production and backup files and documents — and encrypting those too — the organization is left no choice but to meet the cybercriminals’ demands.

Veeam backup products are known for being simple, flexible and reliable — attributes that are key to your resiliency efforts. When it comes to a ransomware incident, resiliency is completely predicated on how you implement your Veeam backup infrastructure solution, the behavior of the threat and the course you take in remediating the threat.

To find implementation recommendations for ransomware resiliency, explore the following guidance:

• Protection of the Veeam Backup & Replication™ server and components
• Implementing Veeam capabilities for ransomware detection
• Ultra-resilient backup storage and the 3-2-1 Rule
• Multiple recovery techniques configuration
• Endpoint protection 
• Network-Attached Storage (NAS) protection
• Veeam encryption of backup data 
• Orchestrating recoveries of backups and replicas.

At Veeam, our approach to remediating ransomware is this:

Don’t pay the ransom. Restore the data — this is the only option. In spite of all of the education and implementation techniques that you may employ to stay resilient against ransomware, you should be prepared to defend against a ransomware incident if a threat is introduced. But what you may not have thought about is specifically what to do when a threat is discovered. Here are a few recommendations for remediation to have at your disposal should a ransomware incident happen:

VEEAM SUPPORT
There’s a special group within the Veeam Support organization that has specific operations to guide customers through restoring data in ransomware incidents. Since you don’t want to put your backups at risk, having this support is critical for your ability to recover.

COMMUNICATION FIRST
In disasters of any type, communication becomes one of your first challenges. Have a plan for how to communicate out-of-band with the right individuals. This plan can include group text lists, phone numbers or other mechanisms that are commonly used for on-call but expanded for an entire IT operations group.

EXPERTS
Have a list of security, incident response, identity management, etc. teams ready to contact if needed. They can be within the organization or external experts. If a Veeam service provider is used, there are additional value add-ons to their base offering that can be considered (such as Veeam Cloud Connect Insider Protection).

CHAIN OF DECISION
In recovering from any disaster, who makes the call to restore, to fail over and so on? Have discussions about this decision authority beforehand, so your chain of decision is ready to deploy should an incident arise.

READY TO RESTORE
When it’s appropriate to restore, implement additional safety checks before putting systems on the network again. Additional steps can include restoring with network access disabled for a final check.

RESTORE SAFELY
Veeam Secure Restore will trigger an antivirus scan of the image before the restoration completes. Veeam Secure Restore uses the latest antivirus and malware definitions, with the option of an additional tool, to ensure a threat is not reintroduced.

FORCE PASSWORD RESETS
While it’s not always popular with users, implementing a sweeping forced change of passwords reduces the threat propagation surface area.

According to Veeam’s 2022 Ransomware Trends Report, 44% of ransomware attacks began with a phishing email that either directed the user to a malicious website or caused them to open a malicious file directly on their computer. Phishing emails have become extremely convincing over the past few years and have evolved to use communication methods other than email. No matter how a phishing message is delivered, the end goal is to drive a sense of urgency to get the user to click without thinking.

Learn more about what you can do to spot phishing attacks.