Solved

instructions for responding to ransomware


Userlevel 5
Badge

hi veeam ommunity

Guidelines for responding to ransomware. Does anyone have instructions on what to do if, for example, one of the servers is infected with ransomware? I mean the actions related to veeam backup. I want to write an instruction and I want to use the experience of you experts.

 

icon

Best answer by Andanet 6 March 2024, 17:20

View original

9 comments

Userlevel 7
Badge +19

Hi @miriam1989 -

Really, a lot of what you’re wanting will depend on your Business Continuity/Disaster Recovery Plan, your SLAs, and what to do in the event of malicious intent.

But, you can start by reviewing the User Guide under Malware Detection.

There is also some ‘suggestions’ Veeam has in a few Blogs. Let me see if I can find them for you. But again...details of what to do will be individualized by company policy.

Userlevel 7
Badge +19

Here are the 2 posts I was referring to @miriam1989 

https://www.veeam.com/blog/ransomware-protection-best-practices.html

https://www.veeam.com/blog/guide-to-ransomware-protection.html

Hope they help.

Userlevel 5
Badge
This is how I started:

1-1.Isolate the infected server
Disconnect the server from the network
Power down the server


1-2.4.Isolate Backup Systems:
Ensure that the backup systems are isolated from the network until the ransomware is completely eradicated. This prevents the ransomware from infecting your backup copies.

 

How to recover?

1.Select Entire VM Recovery

2.restore on original location or dedicate location?

3.select Secure Restore

4.Do not check this option: Power on after restoring

….

 

 

 

Userlevel 7
Badge +19

Hi @miriam1989 -

Solid initial steps. I would also add to isolate your Backup Storage as well. I think you may have meant that in the section “Isolate Backup Systems”, but doesn’t hurt to be specific in adding that to be sure, since your backup storage (Repositories) is where the actual backed up data resides.

How you recover will be up to your org SLA agreed upon RTOs. You just need to know the speed of recovery options, generally speaking. From quickest to slowest is:

  1. Restore using Veeam Replication - failing over to a replica is fastest (CDP fastest, then regular Replica failover)
  2. Instant Recovery - this is generally pretty quick as well; finalizing recovery can take some time, but getting a system up & running is fairly quick
  3. Entire VM Restores

And, you can use Secure Restore for most recovery options, as noted in the Guide.

So, all that to say..you have a good start!

Userlevel 7
Badge +7
This is how I started:

1-1.Isolate the infected server
Disconnect the server from the network
Power down the server


1-2.4.Isolate Backup Systems:
Ensure that the backup systems are isolated from the network until the ransomware is completely eradicated. This prevents the ransomware from infecting your backup copies.

 

How to recover?

1.Select Entire VM Recovery

2.restore on original location or dedicate location?

3.select Secure Restore

4.Do not check this option: Power on after restoring

….

 

 

 

In my experience, they will kill or encrypt all backup data, backup target hosts and repositories in the same domain, and VM servers in the same target domain. It’s too late to isolate Backup System after attack. You backup data complate gone in the same attack domain.

You must put the backup system in the non-production domain or workgroup. You must also follow the 3-2-1-1-0 rules at the initial stage (design and deployment).

 

Please keep in mind, please keey your backup configure file in the safe place (like as offline).

You need to rebuild the Backup system—reinstall the Veeam server in the non-production domain (workgroup), restore the backup configuration, etc.

Userlevel 5
Badge
This is how I started:

1-1.Isolate the infected server
Disconnect the server from the network
Power down the server


1-2.4.Isolate Backup Systems:
Ensure that the backup systems are isolated from the network until the ransomware is completely eradicated. This prevents the ransomware from infecting your backup copies.

 

How to recover?

1.Select Entire VM Recovery

2.restore on original location or dedicate location?

3.select Secure Restore

4.Do not check this option: Power on after restoring

….

 

 

 

In my experience, they will kill or encrypt all backup data, backup target hosts and repositories in the same domain, and VM servers in the same target domain. It’s too late to isolate Backup System after attack. You backup data complate gone in the same attack domain.

You must put the backup system in the non-production domain or workgroup. You must also follow the 3-2-1-1-0 rules at the initial stage (design and deployment).

 

Please keep in mind, please keey your backup configure file in the safe place (like as offline).

You need to rebuild the Backup system—reinstall the Veeam server in the non-production domain (workgroup), restore the backup configuration, etc.

My backup server is not in the domain, in addition to the backup in the repository, we also have a backup copy that is stored in the storage and a snapshot is also taken in the storage.

 

Userlevel 7
Badge +19

@miriam1989 nice! I also do storage replication. Nothing wrong with having data in as many locations as you can. Exceeding the 3-2-1-1-0 rule doesn't hurt 😊

Userlevel 7
Badge +10

@miriam1989 in case of ransomware attack there a lot of steps before start with restore. 

  1. kind of ransomware 
  2. infrastructure status after attack
  3. backup status

Remember: resilience is a “state of mind”… It's important to follow several pillars to have a correct process. Veeam ask to implement a Zero Trust Data Resilience (ZTDR) with several keys such as least privilege, immutability, system resilience, validation and operational simplicity.  

Your 2 steps are correct but are not the only to do. 

So you can write a sequence of instructions based on your infrastructure, the kind of ransomware and your backup status. For this Veeam explain you need to have multiple zone separated from backup system and production as descripted in image below before the attack 

3-2-1-1-0 rule indicate by @CarySun are only for backup status and it’s only for data. 

Finally is not simple to create from zero a list of instructions and actions to take in case of attack but you need to have a correct plan for all concerned aspects. 

I hope I’ve given you the right way to start your work. 

 

 

Userlevel 7
Badge +7

I agree with @Andanet.

Also, never use PowerShell or RDP from the production site to access your Trust Zoom. They can easily get your trusted zone information (including username, password, server name, IP…. etc.).

Comment