hi veeam ommunity
Guidelines for responding to ransomware. Does anyone have instructions on what to do if, for example, one of the servers is infected with ransomware? I mean the actions related to veeam backup. I want to write an instruction and I want to use the experience of you experts.
Best answer by Andanet
View original
+17
Hi
Really, a lot of what you’re wanting will depend on your Business Continuity/Disaster Recovery Plan, your SLAs, and what to do in the event of malicious intent.
But, you can start by reviewing the User Guide under Malware Detection.
There is also some ‘suggestions’ Veeam has in a few Blogs. Let me see if I can find them for you. But again...details of what to do will be individualized by company policy.
+17
Here are the 2 posts I was referring to
https://www.veeam.com/blog/ransomware-protection-best-practices.html
https://www.veeam.com/blog/guide-to-ransomware-protection.html
Hope they help.
This is how I started:
1-1.Isolate the infected server
Disconnect the server from the network
Power down the server
1-2.4.Isolate Backup Systems:
Ensure that the backup systems are isolated from the network until the ransomware is completely eradicated. This prevents the ransomware from infecting your backup copies.
How to recover?
1.Select Entire VM Recovery
2.restore on original location or dedicate location?
3.select Secure Restore
4.Do not check this option: Power on after restoring
…
….
+17
Hi
Solid initial steps. I would also add to isolate your Backup Storage as well. I think you may have meant that in the section “Isolate Backup Systems”, but doesn’t hurt to be specific in adding that to be sure, since your backup storage (Repositories) is where the actual backed up data resides.
How you recover will be up to your org SLA agreed upon RTOs. You just need to know the speed of recovery options, generally speaking. From quickest to slowest is:
And, you can use Secure Restore for most recovery options, as noted in the Guide.
So, all that to say..you have a good start!
+7
This is how I started:
1-1.Isolate the infected server
Disconnect the server from the network
Power down the server
1-2.4.Isolate Backup Systems:
Ensure that the backup systems are isolated from the network until the ransomware is completely eradicated. This prevents the ransomware from infecting your backup copies.
How to recover?
1.Select Entire VM Recovery
2.restore on original location or dedicate location?
3.select Secure Restore
4.Do not check this option: Power on after restoring
…
….
In my experience, they will kill or encrypt all backup data, backup target hosts and repositories in the same domain, and VM servers in the same target domain. It’s too late to isolate Backup System after attack. You backup data complate gone in the same attack domain.
You must put the backup system in the non-production domain or workgroup. You must also follow the 3-2-1-1-0 rules at the initial stage (design and deployment).
Please keep in mind, please keey your backup configure file in the safe place (like as offline).
You need to rebuild the Backup system—reinstall the Veeam server in the non-production domain (workgroup), restore the backup configuration, etc.
This is how I started:
1-1.Isolate the infected server
Disconnect the server from the network
Power down the server
1-2.4.Isolate Backup Systems:
Ensure that the backup systems are isolated from the network until the ransomware is completely eradicated. This prevents the ransomware from infecting your backup copies.
How to recover?
1.Select Entire VM Recovery
2.restore on original location or dedicate location?
3.select Secure Restore
4.Do not check this option: Power on after restoring
…
….
In my experience, they will kill or encrypt all backup data, backup target hosts and repositories in the same domain, and VM servers in the same target domain. It’s too late to isolate Backup System after attack. You backup data complate gone in the same attack domain.
You must put the backup system in the non-production domain or workgroup. You must also follow the 3-2-1-1-0 rules at the initial stage (design and deployment).
Please keep in mind, please keey your backup configure file in the safe place (like as offline).
You need to rebuild the Backup system—reinstall the Veeam server in the non-production domain (workgroup), restore the backup configuration, etc.
My backup server is not in the domain, in addition to the backup in the repository, we also have a backup copy that is stored in the storage and a snapshot is also taken in the storage.
+17
+10
Remember: resilience is a “state of mind”… It's important to follow several pillars to have a correct process. Veeam ask to implement a Zero Trust Data Resilience (ZTDR) with several keys such as least privilege, immutability, system resilience, validation and operational simplicity.
Your 2 steps are correct but are not the only to do.
So you can write a sequence of instructions based on your infrastructure, the kind of ransomware and your backup status. For this Veeam explain you need to have multiple zone separated from backup system and production as descripted in image below before the attack
3-2-1-1-0 rule indicate by
Finally is not simple to create from zero a list of instructions and actions to take in case of attack but you need to have a correct plan for all concerned aspects.
I hope I’ve given you the right way to start your work.
+7
I agree with
Also, never use PowerShell or RDP from the production site to access your Trust Zoom. They can easily get your trusted zone information (including username, password, server name, IP…. etc.).
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
