Skip to main content

 

 

Hi! This demonstration shows how to use IO Meter, PowerShell scripts, Veeam Backup & Replication, and the Veeam One alarm remediation action to simulate a Ransomware attack response!

The Secure Restore operation is performed with Veeam Instant Recovery associated with Windows Defender antivirus scan, and the backup files are stored in an immutable Linux Hardened Repository!

The clickbait is a Teddy Bear icon 😃

This is a Hyper-V test environment.

Below we have the PowerShell script for the compromised VM. It just changes the wallpaper and blocks the keyboard and mouse input for some time.

It is necessary to have the IO Meter running in the background. Change the wallpaper name per your desired simulation.

Start-Sleep -Seconds 5
#Change Desktop
$MyWallpaper="C:\skull-virus-malware.png"
$code = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
add-type $code
Win32.Wallpaper]::SetWallpaper($MyWallpaper)
$code = @"
DllImport("user32.dll")]
public static extern bool BlockInput(bool fBlockIt);
"@
$userInput = Add-Type -MemberDefinition $code -Name UserInput -Namespace UserInput -PassThru
function Disable-UserInput($seconds) {
$userInput::BlockInput($true)
Start-Sleep $seconds
$userInput::BlockInput($false)
}
Disable-UserInput -seconds 300 | Out-Null

And we have the PowerShell script for the Veeam ONE remediation action. This script removes the hard disk and the network adapter from the affected Virtual Machine.

$AlarmName=$argse0]
$AlarmState=$argse1]
$ObjectName=$argse2]

$Text="$(Get-Date)" + "`r`n" + "$AlarmName" + " Removed the Hard Disk drive and the Network Adapter on " + "$ObjectName" + "`r`n"

$Text | Out-File C:\Users\Administrator\Desktop\Ransomware_Sim\anti-ransomware_actions.txt -Append

#Actions: Remove the HardDiks and the Network Adapter from affected VM (stops the encryption job and lateral movement

Enter-PSSession -ComputerName LAB-DATACENTER

Remove-VMHardDiskDrive -ComputerName LAB-DATACENTER -VMName "$ObjectName" -ControllerType SCSI -ControllerNumber 0 -ControllerLocation 0

Remove-VMNetworkAdapter -ComputerName LAB-DATACENTER -VMName "$ObjectName"

Exit-PSSession

The Veeam ONE is a powerful tool available to customers from the most basic Veeam Data Platform licensing bundle.

One of its most valuable capabilities is contributing to operations automation.

To automate virtual and backup infrastructure troubleshooting, we can configure Veeam ONE to run remediation actions as soon as alarms are triggered.

We can also use Veeam One to detect and remediate a possible Ransomware action in the production environment. The remediation actions can be automatic or approved by the administrators.

Simulating these actions with a simple test environment is possible, as I will describe in this video.

I hope this video was helpful!

Demo of Ransomware remediation simulation with Veeam ONE – Cloud and Roll (cloudnroll.com)

Very interesting demo for VONE.  Love it. 👍


Very interesting demo for VONE.  Love it. 👍

Chris, I like Veeam ONE so much because it helps a lot of users/customers.

It is natively included in the Veeam Data Platform Essentials, the Veeam entry bundle to SMB – up to 50 protected instances. These customers can get all the capabilities of the VBR and an excellent solution for monitoring, reporting, and automation of the vSphere, Hyper-V, and Veeam environments.

And for Veeam Backup for Microsoft 365, Veeam ONE is included free of charge.

Very nice!


Outstanding demonstration @leduardoserrano!


Outstanding demonstration @leduardoserrano!

Thanks, @Iams3le ! 🙏🏻👍🏼


Comment