Skip to main content
  • EN

With multiple reports what seems to be about every week of ransomware attacks, especially the recent big one here in the States on the Colonial Pipeline, I thought it would be a great idea to start a continuing discussion on how best to protect your environment from ransomware. What are ways you can implement ‘security-in-layers’ and configure your backup environment to provide you and your company the best possible recovery scenario in the event of a ransomware attack?

I will not provide an exhaustive list, but will instead just begin this discussion off with a few configuration options for your BU/DR environment which can help protect you in the event of a ransomware attack. First, if you’re not aware, Veeam has transitioned from its “3-2-1 rule” to a more wholistic “3-2-1-1-0 rule” > 3 copies of data, 2 media types, 1 copy offsite, 1 copy immutable/airgapped, and 0 recoverability errors. With that in mind, I will start off with the following configuration options I recommend for your Veeam backup environment:

  • VBR server not domain-joined; use local user accounts for administration
  • Use storage integration with storage snapshot capability - my experience is with Nimble storage specifically. With Nimble snapshots, if you have an offsite array, you can create a ‘partner’ to the offsite array from your prod array and replicate snaps to it. We all know (I hope!) snapshots are not backups, but in this case, they actually are because a full copy of the data on your prod Nimble Volumes are replicated to the offisite array. I use Nimble arrays for both my prod data (VMware datastores) and for Veeam repositories. Separate arrays of course. I recommend configuring snapshots for both your prod data and Veeam repositories on your arrays. Multiple recoverability layers never hurts
  • A NOTE about Storage Integration with Veeam > within Veeam, in the Storage Integration tab, snapshots can be deleted; so if your VBR server gets compromised, not only can backups be deleted, but any snapshots/replicated snaps could be deleted as well. This doesn’t mean you should not use snapshots, but is something you need to be aware of
  • Utilize VeeamONE - VONE has a few reports/alarms which can help you detect there may be a problem with ransomware > Possible Ransomware Activity alarm, and the VM Change Rate History / Veeam Backup Files Growth reports. @kirststoner12  does a great job describing these VONE features in the linked article I provided above
  • Configure Immutable repository storage, using Veeam’s new Hardened Linux Repositories, or other vendor immutability solution (Amazon, Wasabit, etc). It has been said ransomware can lay dormant for up to 45 days, so having a retention period above this is recommended. There is no guarantee malware files are still not backed up to your immutable repository; but, your chances of recoverability are certainly hightened if you use this feature

 

Those are my handful of suggestions. What other ransomware protection suggestions do you have which you use in your or your customer’s environments?

And to add to this list for MSPs -

 

For your Tenant in Veeam Cloud Connect enable the Ransomware Protection there even if only for a couple of days.  Will save you time as well as the above suggestions by @coolsport00 

Hi @coolsport00 , in my post 10 tips in hardening your Veeam backup server | Veeam Community Resource Hub about hardening the VBR server are also extra tips to protect your backups as much as possible against ransomware. The more the better so we can protect our backups and rescue our customers in case of...

Classic anti virus software is probably not sophisticated enough to protect against ransomware. Think of next-gen AV software.

https://en.wikipedia.org/wiki/Antivirus_software#2014%E2%80%93present_(rise_of_next-gen)

Good list @Nico Losschaert ! And, you’re for sure correct @vNote42 . With the likes of spectre, and the ‘next-gen spectre’ malware, any kind of A/V may not prove efficient enough. But certainly worthwhile to have. Good stuff gents!

Tape library with tape outside or active vault could be life saving from ransomware or side attack

For the moment i can’t have the same approval from security with object storage than tape…

 

Like @vNote42 an edr solution linked to a siem :D

I have followed most of the recommended practices and plan on implementing the rest to be totally secure.

All we can do is our best 😊

The discussion on Ransomware really got me thinking about segregating our production domain from our backup infrastructure. I’m going to bring that up in a discussion on our next Enterprise Admin meeting, and bring in a Security admin. I’m thinking a domain for humans and other domains for infrastructure objects. Maybe have a one-way trust between them, so that the infrastructure domain can get to things like SCCM, but a bad actor could jump from the human domain to the other.

It’s not terribly difficult to manage local non-domain accounts with a good password keeper, but a separate locked-down domain is much easier in a larger environment with dozens of datacenters.

Thanks for sharing @Tom T PCC :thumbsup_tone1:

Comment


Terms & Conditions