U se Veeam Intelligence, I ask to create a rule to detect common Ransomware families

Forum|Forum|3 months ago
July 29, 2025
7 comments
43 views

Adrian Meneses
Not a newbie anymore

I hope you're all doing well.

I'm reaching out to the community for some guidance. As a test, I recently used Veeam intelligence to scan our infrastructure.

Based on the scan, Veeam intelligence created the following rule:

[

rule CommonRansomware
{
meta:
description = "Detects common ransomware families"
author = "Veeam Support Assistant"
date = "2023-10-01"

strings:
$locky = "Locky"
$wannacry = "WannaCry"
$petya = "Petya"
$notpetya = "NotPetya"
$cerber = "Cerber"
$cryptolocker = "CryptoLocker"
$cryptowall = "CryptoWall"
$badrabbit = "BadRabbit"
$ryuk = "Ryuk"
$maze = "Maze"
$revil = "REvil"
$darkside = "DarkSide"

condition:
any of them
}

the results scared me since it’s a bunch on files detected by this rule.

thanks in advance for reading

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
Forum|Forum|3 months ago
July 29, 2025

Did you run a scan after the files were detected to ensure none of them are infected? That would be my next step to rule out false positives from the rule.

+21

coolsport00
Veeam Legend
Forum|Forum|3 months ago
July 29, 2025

Hi @Adrian Meneses -

I wrote a post on here about performing Malware forensics in Veeam. Although...my post is geared towards Inline Entropy (disk block-level) Scans...but you can take a bit from it and work your way through it for Guest Indexing too, if you use that.

Take your results with a grain of salt. Surely there are probably some false pos’s; but make sure you verify before coming to that conclusion. Assuming you’re looking at the Guest Indexing type results?...you can also read through the User Guide to get some guidance on troubleshooting & analyzing your results. There are log files you can look at (noted in the Guide) to assist you as well.

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_guest_index.html?ver=120

Keep us posted.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Adrian Meneses
Author
Not a newbie anymore
Forum|Forum|3 months ago
July 29, 2025

Did you run a scan after the files were detected to ensure none of them are infected? That would be my next step to rule out false positives from the rule.

Hello Chris thank you so much for your feedback, Yes, pur antivirous did not detect any what the scan did, I beleive that I need to use similar yara rules on the tool as well.

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
Forum|Forum|3 months ago
July 29, 2025

Did you run a scan after the files were detected to ensure none of them are infected? That would be my next step to rule out false positives from the rule.

Hello Chris thank you so much for your feedback, Yes, pur antivirous did not detect any what the scan did, I beleive that I need to use similar yara rules on the tool as well.

Ok. You can always mark the VMs as clean in Veeam then it will not detect again based on your Yara rule set as another option.

+21

coolsport00
Veeam Legend
Forum|Forum|3 months ago
July 29, 2025

@Adrian Meneses - If an A/V scan detected nothing...then yes, I recommend running a yara scan. If both come back normal, then you’re probably ok.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Adrian Meneses
Author
Not a newbie anymore
Forum|Forum|3 months ago
July 29, 2025

@Adrian Meneses - If an A/V scan detected nothing...then yes, I recommend running a yara scan. If both come back normal, then you’re probably ok.

Hello Shane I think I will perform this thanks for your feedback, really appreciated

+21

coolsport00
Veeam Legend
Forum|Forum|3 months ago
July 29, 2025

No problem...keep us posted when you’re able.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded