The Polish Academy of Sciences accelerates ransomware recovery with Veeam

Through its doctoral student programs and postdoctoral research internships, the Institute strives to encourage and inspire current and future scientists in Poland and internationally.

Marek Śliwiński, IT Center Manager, Institute of Low Temperature and Structure Research, said: “To enable employees, students and researchers to do their work, we rely on a range of digital systems — from Microsoft collaboration and productivity solutions to specialized scientific applications. These solutions run on more than 50 virtual machines [VMs] hosted on 3 physical servers at our on-premises data center.”

To protect its data, the Institute previously saved incremental copies of its VMs to an on-premises network attached storage (NAS) array that was directly connected to its production environment. Using Veeam Backup Essentials — which combines the powerful and reliable data protection capabilities of Veeam Backup & Replication with the monitoring and reporting from Veeam ONE — the Institute created daily and weekly backups of its VMs, which it retained in the NAS environment for four weeks.

“Our data protection capabilities were put to the ultimate test when we were hit with ransomware,” said Śliwiński. “Attackers exploited a zero-day vulnerability in our Microsoft Exchange environment to encrypt between 10% and 45% of our file servers using BitLocker. Our backup environment was also briefly compromised — but fortunately, we were able to halt the attack quickly. In the end, around 2TB of our 50TB NAS backups were encrypted.”

The Institute heavily depends on its IT systems to carry out their work, so it was essential for the organization to recover as rapidly as possible. “After we’d stopped the attackers in their tracks, the first thing we did was contact Veeam,” said Śliwiński. “Within minutes, Veeam connected us to their support team and we were ready to begin the process of restoring our data.”

Veeam quickly put together a team of data protection experts to help the Institute to accelerate the recovery process.

“Soon after the attack, Veeam assigned one of their most senior employees to help us triage our systems,” said Śliwiński. “The guidance we received was invaluable. Veeam offered their expertise and best practices for restoring our systems, and augmented our IT team with their own support personnel to help carry out the work.”

The first priority for the Institute was to recover as much of the encrypted data as possible. Because the initial breach could have occurred months before the attack, the next step was to rebuild all systems from scratch — eliminating the risk of the attackers using the same exploit again.

“For around four weeks, we collaborated closely with Veeam to recover data from our encrypted file servers,” said Śliwiński. “Because we retain multiple point-in-time copies of our VMs, we had a great deal of data available to help us with the recovery effort. After many late nights and early mornings, we successfully recovered 80% of the encrypted data — allowing us to set up a temporary environment for our stakeholders to resume their work.”

In parallel with the recovery effort, the Institute began planning a new infrastructure that would mitigate the risk of future attacks. One of the key objectives was to isolate backup and production systems — limiting an attacker’s ability to move laterally through the environment and compromise the backup system. Based on its positive experiences with Veeam throughout the incident, the Institute decided to use Veeam Backup Essentials as the foundation for the new data protection environment.

“Renewing the license for the Veeam solution was an easy choice,” said Śliwiński. “Veeam offers one of the most cost-effective data protection solutions on the market, and the support they provided during the disaster recovery process was second to none. Because we know that Veeam is a trusted partner that we can depend on, we have also engaged them to manage backups to an off-site virtual tape library as an additional layer of protection.”

The Institute has successfully rebuilt its production and disaster recovery systems and is in the process of migrating its users from the temporary environment to the new platform.

“One of the biggest lessons learned is that it is crucial to keep an air gap between our production and backup systems,” said Śliwiński. “We now maintain three copies of our data: one in the production environment, one in our on-premises disaster recovery environment, and one in an off-site virtual tape library. If an incident like this were ever to happen again, it would be significantly faster and easier to recover.”

• Restored encrypted data, limiting long-term disruption from the attack.
  “From the moment of the attack until we restored our data, the support from Veeam was outstanding,” said Śliwiński. “Veeam offered us help throughout the recovery process and practical recommendations for the way forward. Above all, they were there when we needed them — you simply can’t put a price tag on something like that.”
• Increases the number of data copies, reducing future ransomware risks.
  The Institute now stores two copies of its data in addition to its production environment on different storage media — including an off-site backup for an additional layer of protection.
• Automates daily backup tasks, enabling a lean IT team to focus on support activities.
  “We only have three people in the IT Center, so it’s really important to spend as much of our time as we can on supporting our users,” said Śliwiński. “Thanks to Veeam, we have peace of mind that our data is always backed up on schedule.”