Ransomware and Veeam

"The destructive power of complacency."

"By 2025, at least 75% of IT organizations will face one or more attacks, as free-rein researchers document a dramatic increase in ransomware attacks during 2020, pointing to sevenfold or higher rates of growth." - Gartner

Global estimated damages from Ransomware attacks...

  • Attack rate in 2016 - 40 seconds

  • Attack rate in 2019 - 14 seconds

  • Attack rate in 2021 - 11 seconds (projected)

  • 147% annual increase in associated losses from Ransomware attacks.

"96% of Veeam customers cut their average ransomware recovery costs under $5,000. 76% of Veeam customers have to spend NOTHING AT ALL"

Please SCROLL DOWN for "8 Tips to prevent ransomware attacks using Veeam."

Note: "NIST Special Publication 1800-25 : Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events"

What is Ransomware? (Click here)

"Ransomware works by encrypting user's files through asymmetric encryption methods. The attacker then demands money in exchange for decrypting the files. There are several ways ransomware can attack and encrypt files, with varying degrees of complexity."

What is an example of a Ransomware attack? (Click here)

"Bad Rabbit is a 2017 ransomware attack that spread using a method called a 'drive-by' attack, where insecure websites are targeted and used to carry out an attack. .Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection." Five of the most significant ransomware attacks in 2020 include: Maze, REvil, Ryuk, Tycoon, NetWalker.

How do I get Ransomware? (Click here)

"There are several different ways that ransomware can infect your computer. One of the most common methods today is through malicious spam (or malspam), which is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents."

What is the trend for Ransomware? (Click here)

"According to Trend Micro, computer criminals continue to show an interest in ransomware, as well as cheap offerings associated with deepfake services on underground web marketplaces. Malwarebytes noted that malicious actors could ultimately combine these two threats together into “deepfake ransomware” attacks". Aug 4, 2020

How much do cyber criminals typically ask for as a ransom payment?? (Click here)

"The data shows that 20 percent of compromised organizations have paid ransoms of more than $40,000, and 25 percent have paid between $20,000 and $40,000. Those numbers are far higher than what consumers typically pay, which is usually in the range of $500-$1,000, depending on the ransomware variant."

What percentage of victims pay the Ransomware? (Click here)

"In 2018, 39 percent of ransomware victims paid the ransom. In 2019, that number rose to 45 percent. Today, as many as 58 percent of ransomware victims, from every industry, have paid ransom. Apr 3, 2020"

Can Ransomware be removed?? (Click here)

"Every filecoder has its own method of encryption, which means you can't simply remove it like other forms of malware. To avoid being studied and decrypted, most ransomware programs delete themselves after a set period of time. Sep 25, 2019"

NINE tips to prevent ransomware attacks using Veeam...

QUESTION: Pre-authorization (CRITICAL): Do you have authority (pre-authorization) to take action in the event of a cybersecurity incident?

...in short, use a layered defense

  1. Always use the 3-2-1-1-0 Rule (Protect)

  2. Separate Authentication Framework (i.e. credentials) for management of Veeam (Protect)

  3. Leverage Immutability (Protect)

  4. Enable Alarm Notifications using Veeam One (Detect)

    • What is median dwell time? "The global median dwell time is the number of days that an attacker is in a computing environment before detection. Over the past decade, there has been a marked reduction in median dwell time, from just over one year (416 days) in 2011 to just under one month (24 days) in 2020."

  5. Enable Activity Scans using Veeam One. (Detect)

  6. Leverage Automated Testing using SureBackup/SureReplica (Detect)

    • Automated step to scan the backup for malware

    • IRE - Isolated Recovery Environment - "The IT organization must build an isolated recovery environment (IRE), in which applications and data can be restored, but remain isolated from external actors that might seek to trigger malware that was restored with application. This IRE will also include a variety of malware scanners that detect malware based on signatures or through more advanced behavioral detection methods that use AI/ML to scan for activity that might indicate malware activity." - NOTE: See SureBackup

    • See Brad Linch: 5 Ways Veeam Provides Ransomware Protection - 8 min read

  7. Secure Restore. (Recover)

    • Veeam Backup & Replication allows you to scan machine data with antivirus software before restoring the machine to the production environment. During secure restore, Veeam Backup & Replication mounts disks of the machine that you plan to restore to the mount server.

    • How Secure Restore Works

  8. Data Re-Use / Data Integration APIs (Recover)

  9. Take storage snapshots on the backup repository storage, if possible. (Recover)

    • Example: Exagrid's Native Veeam Data Mover. - 4 min read

...AND be sure to protect your Microsoft Office 365 against a BEC ("Business Email Compromise") with VBO.

12 simple questions to assess your current ransomware prevention and recovery risks (in less than 10 minutes.)

Cybercriminals are notoriously responsive to defenses which cut into their profitability!!

Попробуйте этот странный трюк, который ненавидят русские хакеры (Click Here)...

Try this one weird trick Russian hackers hate...

"In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick."

"Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install."

“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.

"To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend."


Here are few recommendations for remediation that should be at your disposal should a ransomware incident happen...

  1. Veeam Support: There is a special group within the Veeam support organization that has specific operations to guide customers through data restores in ransomware incidents. You do not want to put your backups at risk; they are critical to your ability to recover.

  2. Communications first: In disasters of any type, communication becomes one of the first challenges to achieve. Have a plan for how to communicate to the right individuals out-of-band. This would include group text lists, phone numbers or other mechanisms that are commonly used for on-call mechanisms but expanded for an entire IT operations groups.

  3. Experts: Have a list of security, incident response, identity management, etc. experts that are ready to be contacted if needed. They can be within the organization or external experts. If a Veeam service provider is used, there are additional value adds to their base offering that can be considered (such as Veeam Cloud Connect Insider Protection). Chain of decision: One of the hardest parts of recovering from a disaster is decision authority. Who makes the call to restore, to fail over, etc.? Have business discussions about this beforehand.

  4. Ready to restore: When the conditions are right to restore, implement additional safety checks before putting systems on the network again. Part of those tips are explained earlier in this document but additional steps can include restoring with network access disabled for a final check.

  5. Restore options: Depending on the situation, maybe a whole VM recovery is best. Possibly a file-level recovery makes sense. Familiarity with your recovery options will help greatly.

  6. Restore safely: As explained earlier, Veeam Secure Restore will trigger an antivirus scan of the image before the restore completes. Use the latest anti-virus and malware definitions and perhaps an additional tool to ensure a threat is not reintroduced.

  7. Force password resets: Users don’t like this but implement a sweeping forced change of passwords. This will reduce the threat propagation surface area.

What is the "Internet Crime Complaint Center IC3"? (Click Here)

You should file a complaint with the IC3 if you believe you have been the victim of an Internet crime or if you want to file on behalf of another person you believe has been such a victim.

"IC3's purpose is to serve as a central hub to receive, develop, and refer criminal complaints regarding the rapidly expanding occurrences of Internet crime. The IC3 gives victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet. IC3 develops leads and notifies law enforcement agencies at the federal, state, local and international level."

Companies can also contact their local FBI field office. It will ask for the following information...

  • Date of Ransomware attack

  • How the infection occurred

  • Amount demanded

  • Amount paid, if any

  • The ransomware variant

  • Information about your company, such as industry, size, etc...

  • Victim impact statement; and

  • Losses due to the ransomware attack.

What are the "US-CERT Federal Incident Notification Guidelines"? (Click Here)

Companies can also report ransomware to CISA. Like reporting to the FBI, CISA has specific ransomware reporting requirements...

"Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the NCCIC/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In some cases, it may not be feasible to have complete and validated information for the section below (Submitting Incident Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification and report updated information as it becomes available. Events that have been found by the reporting agency not to impact confidentiality, integrity or availability may be reported voluntarily to US-CERT; however, they may not be included in the FISMA Annual Report to Congress."

"The Cybersecurity and Infrastructure Security Agency (CISA) is a standalone United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD). CISA was established on November 16, 2018 when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018."

  • Identify the current level of impact on agency functions or services.

  • Identify the type of information lost, compromised or corrupted.

  • Estimate the scope of time and resources needed to recover from the incident.

  • Identify when the activity was first detected.

  • Identify the number of systems, records and users impacted.

  • Identify the network location of the observed activity.

  • Identify point of contact information for additional follow-up.

Video: Dealing with a Ransomware Attack: A full guide (Click Here)

Video: Dealing with a Ransomware Attack: A full guide (10 min)

  1. Lock down/isolate! Note that this can be done with Veeam One

  2. Disable the ransomware process (the executable)

  3. Check decryption options

  4. Restore from backups

  5. Decryptor notifications

  6. Pay it...............not recommended

There are two main types of ransomware: locker and crypto ransomware, each with many variants (click here for more)...

Locker Ransomware: It works by preventing system administrators from reaching their systems by denying access to computing resources, and then demanding a ransom to regain access. Imagine a cybercriminal changing the administrator and root passwords in your corporate servers or cloud servers.

Crypto Ransomware: it works by encrypting the organization’s data, taking it hostage until the victim pays the ransom and obtains the decryption key from the attacker; otherwise, data is destroyed. Crypto ransomware is the most dominant threat and the focus of this article.

Island hopping, also called leapfrogging or pivoting, is a cybersecurity exploit in which an attacker gains access to an intended target by initially exploiting the employees and supply chain partners who have access to the target's network.

In this type of lateral attack, the threat actor exploits a weakness downstream from the actual target and uses it as a launching point to reach the intended target. The term island hopping is inspired by a military strategy used in the Pacific theater during World War II.

Generally, island hopping attackers pick employees, customers and smaller companies that work with the target organization, hoping that their cyberdefense will be weaker than the ultimate target. Island hopping attacks often begin through phishing exploits in which the attacker disguises themselves as a reputable entity in an email or other communication channel. Continue reading about island hopping attacks...

What is a dropper?

What is a Trojan Horse?

Ransomware Attacker Stages (click here for more)...


  • Stage 0: Entry point found - no action taken.

  • Stage I: Attackers have access to or control of an individual system or limited systems.

  • Stage II: Attackers have control of the broader infrastructure and are in “read-only” mode, potentially stealing data.

  • Stage III: Attackers have control of the broader infrastructure and have “write” access, potentially altering data.

  • Stage IV: Attackers have administrative control. Attackers can create new means of entry as well as alter, read and steal data.


  • Category 0: Exercise Incident

  • Category 1: Unauthorized Access

  • Category 2: Denial of Service

  • Category 3: Malicious Code

  • Category 5: Improper Use

  • Category 6: Investigation

CORE TO SECURITY: The CIA triad is a guiding principle that many organizations use to create their information security policies, processes and procedures (click here for more)...

CIA stands for confidentiality, integrity and availability. Each component of the triad plays an important role in maintaining data integrity...

  • Confidentiality - prevents sensitive information from reaching the wrong people, while making sure that the right people have access. In terms of confidentiality, organizations need to ensure data is secure in transit and at rest. Even if data is lost or hacked, it should not be readable.

  • Integrity - maintains the consistency, accuracy, and trustworthiness of data over its entire life cycle. When it comes to integrity, organizations need to ensure that personal data is accurate, complete, up to date and kept only as long as necessary.

  • Availability - ensures data can be accessed by authorized people when they need it. In terms of availability, organizations also need to understand how individuals and their work could be affected if they are not able to access the data they need.


What is the CIA Triad? Confidentiality, Integrity, Availability

02 - Security (CIA) Triad

CIA Triangle: The Core of Cybersecurity

Great ways to safely simulate and assess the risk of phishing success (click here for more)...

KnowBe4 can be used for security awareness that goes beyond end user and administrator education . This service is a provides security awareness training with the added benefit of simulated phishing attacks .

Aside from KnowBe4, there are open-source resources in place to help with phishing as well . One example is Gophish, which allows you to create dashboards and send emails to see if your recipients will actually click on phishing emails . You can set up a phish test in just minutes .

How do you write a Warning/Alert email about Ransomware to your Users? (click here for more)...

How do you write a Warning/Alert email about Ransomware to your Users? by one2254 on Apr 8, 2017 - Spiceworks

Dear End User,

Ransomware is a type of encrypting malware that encrypts important company files and holds them for ransom. Ransoms typically range from hundreds to thousands of dollars. Cybercriminals made over $1billion dollars last year from businesses attacked by ransomware and since these cybercriminals have learned to monetize attacks; their frequency and severity of attacks will continue to grow exponentially.

You should be aware that most ransomware attacks come in the form of an email attachment and you should exercise extreme caution when opening email attachments. Never open an attachment in an email you were not expecting to receive or that you do not recognize the sender. You should use the same caution when presented with URL's that you do not recognize or came from an unknown sender.

With today's advanced ransomware techniques you only have to visit a website to become infected with ransomware. Let me make that clear. You DO NOT have to click anything on the website to infect the company with data encrypting ransomware.

In 2017 alone:

  • Ransomware emails spiked 6,000%

  • 40% of all spam email had ransomware

  • 59% of infections came from email

  • 92% of surveyed IT firms reported attacks on their clients

These numbers are scary but important for you to know. As an employee of (company ABC) you are our first line of defense against ransomware. Please follow the best practices as outlined in this email to ensure you do your part to keep ransomware off the company network. Failure to do so could result in significant downtime and monetary cost to (company ABC) and we all need to be vigilant in stopping these attacks.

If you have further questions about ransomware and how you can help prevent it from infecting (company ABC)'s network; please reach out to support@companyabc.com or call the help desk at 1-555-555-5555.

Thank you,
IT Department

CLICK HERE additional information on Ransomware...

Keep in mind that...

  • A vulnerability is an oversight or weakness in an organization's security posture. This could include an improperly configured firewall, an unpatched OS or unencrypted data.

  • A risk is the careful assessment of potential threats against the organization's vulnerabilities. For example, someone stores unencrypted data in the public cloud and human error could allow the data to be accessed or changed. This could be perceived as a significant risk for the business that must be addressed.

  • A threat is something that is actually happening that the organization must defend against: DoS attack, human error, natural disasters, etc...

Useful references...

FBI’s keys for protection...

  • Back up data regularly.

  • Verify the integrity of those backups regularly.

  • Secure your backups.

  • Isolate backups from the computers and networks they protect.

BONUS: 20 Ransomware tips from Joe Marton and Rick Vanover (click here for more).

NOTE: Please contact Randy Lee for specifics and the presentation in its entirety.

  1. Use special credentials for backup storage/backup job.

  2. Give each backup admin individual access.

  3. Utilize offline storage.

  4. Immutability.

  5. Leverage different file systems / Protocols for backup storage.

  6. Backup storage with native snapshot capabilities.

  7. Let the Backup Copy Job do the work for you.

  8. DR isn’t just for natural disasters.

  9. Document your recovery plan.

  10. Restore the minimum.

  11. Veeam Backup for Microsoft Office 365 data.

  12. Agents.

  13. vPower® & the cloud.

  14. Veeam patch management.

  15. Security & network tools.

  16. Users are your worst enemy.

  17. Insider threats.

  18. Have visibility into suspicious behavior.

  19. Prepare for help.

  20. Master the 3-2-1-0 Rule.