Ransomware

https://www.cisa.gov/

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

"Ransomware works by encrypting user's files through asymmetric encryption methods. The attacker then demands money in exchange for decrypting the files. There are several ways ransomware can attack and encrypt files, with varying degrees of complexity."

• What is ransomware? - 6 min read

• Cybersecurity threats in 2021 – Here’s what you need to know 

• Why is ransomware still so successful?

• "On average, there is a ransomware attack every 11 seconds. 51% of victims pay the ransom at an average of $200K per attack, amounting to $20B in total cost." (source)

• “In North America, ransomware attacks affected nearly 7-in-10 companies in 2020” (source)

• Number of ransomware attacks grew by more than 150% 

• Largest ransomware demand now stands at $30 million as crooks get bolder

• The ransomware crisis is making cyber insurance harder to buy, The growing volume and value of cyber insurance claims is forcing providers to be more discerning in who they cover. Some companies will lose out.

What is an example of a Ransomware attack?

"Bad Rabbit is a 2017 ransomware attack that spread using a method called a 'drive-by' attack, where insecure websites are targeted and used to carry out an attack. .Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection." Five of the most significant ransomware attacks in 2020 include: Maze, REvil, Ryuk, Tycoon, NetWalker.

• Dept of Homeland Security - Protect Your Data Against Ransomware

• Why we're now facing a perfect storm - ZDnet

• Yes, Ransomware can delete your Veeam backups

How do I get Ransomware?

"There are several different ways that ransomware can infect your computer. One of the most common methods today is through malicious spam (or malspam), which is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents."

• How to protect against and recover from ransomware attacks on your backups

• Identify and protect yourself against ransomware

• Recover from a ransomware attack in Microsoft 365 - "Step 1: Verify your backups"

What's the trend for Ransomware?

"According to Trend Micro, computer criminals continue to show an interest in ransomware, as well as cheap offerings associated with deepfake services on underground web marketplaces. Malwarebytes noted that malicious actors could ultimately combine these two threats together into “deepfake ransomware” attacks". Aug 4, 2020

• Ransomware Defense - Part 1: Advanced product features are an mandatory requirement

• Ransomware Defense - Part 2: Hardening 

What percentage of people pay the ransom?

"In 2018, 39 percent of ransomware victims paid the ransom. In 2019, that number rose to 45 percent. Today, as many as 58 percent of ransomware victims, from every industry, have paid ransom. Apr 3, 2020"

• Report Incidents, Phishing, Malware, or Vulnerabilities 

• Best practices for reporting ransomware attacks 

Can Ransomware be removed?

"Every filecoder has its own method of encryption, which means you can't simply remove it like other forms of malware. To avoid being studied and decrypted, most ransomware programs delete themselves after a set period of time. Sep 25, 2019"

• Ransomware: A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again 

• Ransomware is attacking NAS data – are you prepared? - 6 min read

• How to protect your data from ransomware and encryption Trojans - 5 min read

• 3 storage options against ransomware - 3 min read

• Identify and protect yourself against ransomware 

• Winning the War on Ransomware in H2 2020 - 26:24 video

• Three Ultimate Strategies for Ransomware Prevention - 1:02:55 video - Rick Vanover

• Veeam backups save Alaska community from ransomware attack - TechTarget 

• Ransomware gang tries to extort Apple hours ahead of Spring Loaded event - The Record

• This company was hit by ransomware. Here's what they did next, and why they didn't pay up. - "

  • So what is the key lesson Mendoza would say that other organizations need to take away from Spectra Logic's experience? "You've got to limit your attack blast radius. Backup your data in multiple locations on multiple mediums and the key is to air-gap it. Whether it's physical air-gap or virtual air-gap, you've got to put a wall between an attack and your data," he said."

1. Always use the 3-2-1-1-0 Rule ("Protect")

   • See The 3-2-1 rule for ransomware protection - 7 min read

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Notes

Try this one weird trick Russian hackers hate...

"In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick."

"Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install."

“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”

"To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend."

https://securityboulevard.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/

1. Veeam Support: There is a special group within the Veeam support organization that has specific operations to guide customers through data restores in ransomware incidents. You do not want to put your backups at risk; they are critical to your ability to recover.

2. Communications first: In disasters of any type, communication becomes one of the first challenges to achieve. Have a plan for how to communicate to the right individuals out-of-band. This would include group text lists, phone numbers or other mechanisms that are commonly used for on-call mechanisms but expanded for an entire IT operations groups.

3. Experts: Have a list of security, incident response, identity management, etc. experts that are ready to be contacted if needed. They can be within the organization or external experts. If a Veeam service provider is used, there are additional value adds to their base offering that can be considered (such as Veeam Cloud Connect Insider Protection). Chain of decision: One of the hardest parts of recovering from a disaster is decision authority. Who makes the  call to restore, to fail over, etc.? Have business discussions about this beforehand.

4. Ready to restore: When the conditions are right to restore, implement additional safety checks before putting systems on the network again. Part of those tips are explained earlier in this document but additional steps can include restoring with network access disabled for a final check.

5. Restore options: Depending on the situation, maybe a whole VM recovery is best. Possibly a file-level recovery makes sense. Familiarity with your recovery options will help greatly.

6. Restore safely: As explained earlier, Veeam Secure Restore will trigger an antivirus scan of the image before the restore completes. Use the latest anti-virus and malware definitions and perhaps an additional tool to ensure a threat is not reintroduced.

7. Force password resets: Users don’t like this but implement a sweeping forced change of passwords. This will reduce the threat propagation surface area.

QUESTION: Pre-authorization (CRITICAL): Do you have authority (pre-authorization) to take action in the event of a cybersecurity incident?

Anton Gostev
SVP, Product Management at Veeam Software.
The guy behind Veeam Backup & Replication.

"I've spent many years now advocating for the usage of air-gapped (offline) or immutable backup storage in these newsletters - and I'm happy to see many customers now rushing to implement this best practice. Our support big data indicates that the number of such installs nearly doubled in the last less than 2 years, thanks to heightened ransomware concerns in particular. But for me, it also means that I can reduce ringing this same bell and change the tune to covering a bit different scenario: "We have a solid backup strategy. What else should we do now – and what do we do when the attack actually happens"? I hope that sharing what I learnt from the customers who've been through this will help better prepare everyone to face the same, as unfortunately the reality is such that it's unavoidable for most of us.

First, do the following as soon as possible:

1. If you do not have a cyber insurance yet, get it now. There are many good reasons to do so, but the most important one is extremely unobvious: without a cyber insurance, you will have a big trouble finding good recovery specialists to help you, as all the decent ones are now employed by the cyber insurance organizations. Just think how bad the staff shortage in the cyber-security industry is since the raise of ransomware, and what level of expertise will you be able to find on a short notice as a result.

2. Think through the reserve communication channels: cell phones and failback email (something completely external like Gmail). You will need something to communicate with vendors like Veeam, but your usual telephony and email systems will likely be down. So ensure that the reserve communication channels are registered with your IT vendors, otherwise you may not even be able to open a support case on behalf of your company.

3. Plan where are you going to restore your environment to following an attack. I've now seen it more than once when customers were caught with their pants down by police confiscating their production storage systems as evidence. So they had good backups, but no hardware to restore them to. And since getting new hardware will take forever due to the current supply chain issues, while having a spare hardware just sitting there is not something many can afford, restoring your environment to cloud IaaS may literally be the ONLY option. Veeam enables you to restore directly to AWS/Azure/GCP, and some of our Veeam Cloud Connect service providers can restore your backups into their data center too – but be sure to test the entire process so that there are no surprises. This will also force you to put all the required networking in place and not waste time on this later.

Once you become aware of the on-going attack:

1. Take everything potentially affected offline to minimize damage. While painful, it's no longer just about your production data being encrypted: hackers may be streaming your critical production data out of the environment, and this will enable them to threaten you with its disclosure later.

2. Open support cases with your critical infrastructure vendors, including Veeam. You will likely need assistance from all of them in due time. When you open a case, do remember to mention how you can be reached. Most folks forget to do this in a heat of the moment, making our SWAT team unable to contact you due to all your systems being down.

3. Do NOT just go restoring your backups. The intrusion usually happens a few weeks before the actual attack, so there's rarely a point in mass-restoring your most recent backups. Unless you're fine wasting time restoring your environment to the state where the sleeping ransomware is already present and/or the threat actor already has remote access with high privileges (plus multiple well-hidden fallback options for when you start disabling or changing passwords for known admin accounts).

4. Set realistic expectations with the executive team: full recovery may take a long while. In one recent example of an actual attack, the customer had solid Veeam backups but it took the security specialists assigned by the cyber-insurance company 2 weeks to reconstruct what happened before they even allowed to start restoring those backups! And in particular, they found that ransomware has penetrated the environment for 4 weeks before the actual encryption attack!

5. Only after the attack is fully understood, the recovery of recent backups can start and it will always be staged. First, each machine is restored into a quarantine environment where the actual cleaning from the determined threats takes place. In addition, each machine is scanned by multiple advanced security tools to ensure there are no other sleeping threats. Only after all of this is done, the cleaned up machine state is moved into the production environment. Those of you who know Veeam well are probably jumping out of their seats right now because it all sounds waaaay too familiar and is exactly how our Staged Restore works, right? You're correct, but...

6. This will be the moment when your earlier backup storage selection process flashes before your eyes, as slow backup storage will not let you do any of that magic. This is why we suggest using small but fast primary backup repositories! Otherwise, in one other recent attack, the customer in the end chose to perform entire VM restore of each VM from their deduplicating backup storage target into an isolated lab with all-flash array first, do the cleaning and scanning there, and then move processed machines to the production storage. Even if this meant effectively performing an entire VM restore twice, it was still way faster than running VMs from backup on dedupe storage. While entire VM restore from dedupe storage is actually quite fast with Veeam, because we use "sequential reads > random writes" approach to get a decent restore performance (as dedupe appliances are optimized for sequential I/O)."

You should file a complaint with the IC3 if you believe you have been the victim of an Internet crime or if you want to file on behalf of another person you believe has been such a victim.

"IC3's purpose is to serve as a central hub to receive, develop, and refer criminal complaints regarding the rapidly expanding occurrences of Internet crime. The IC3 gives victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet. IC3 develops leads and notifies law enforcement agencies at the federal, state, local and international level."

Companies can also contact their local FBI field office. It will ask for the following information...

• Date of Ransomware attack

• How the infection occurred

• Amount demanded

• Amount paid, if any

• The ransomware variant

• Information about your company, such as industry, size, etc...

• Victim impact statement; and

• Losses due to the ransomware attack.

Companies can also report ransomware to CISA. Like reporting to the FBI, CISA has specific ransomware reporting requirements...

• Cybersecurity and Infrastructure Security Agency (CISA)

"Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the NCCIC/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In some cases, it may not be feasible to have complete and validated information for the section below (Submitting Incident Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification and report updated information as it becomes available. Events that have been found by the reporting agency not to impact confidentiality, integrity or availability may be reported voluntarily to US-CERT; however, they may not be included in the FISMA Annual Report to Congress."

"The Cybersecurity and Infrastructure Security Agency (CISA) is a standalone United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD). CISA was established on November 16, 2018 when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018."

• Identify the current level of impact on agency functions or services.

• Identify the type of information lost, compromised or corrupted.

• Estimate the scope of time and resources needed to recover from the incident.

• Identify when the activity was first detected.

• Identify the number of systems, records and users impacted.

• Identify the network location of the observed activity.

• Identify point of contact information for additional follow-up.

Video: Dealing with a Ransomware Attack: A full guide (10 min)

1. Lock down/isolate! Note that this can be done with Veeam One

2. Disable the ransomware process (the executable)

3. Check decryption options

4. Restore from backups

5. Decryptor notifications

6. Pay it...............not recommended

Locker Ransomware: It works by preventing system administrators from reaching their systems by denying access to computing resources, and then demanding a ransom to regain access. Imagine a cybercriminal changing the administrator and root passwords in your corporate servers or cloud servers.

Crypto Ransomware: it works by encrypting the organization’s data, taking it hostage until the victim pays the ransom and obtains the decryption key from the attacker; otherwise, data is destroyed. Crypto ransomware is the most dominant threat and the focus of this article.

Island hopping, also called leapfrogging or pivoting, is a cybersecurity exploit in which an attacker gains access to an intended target by initially exploiting the employees and supply chain partners who have access to the target's network. 

In this type of lateral attack, the threat actor exploits a weakness downstream from the actual target and uses it as a launching point to reach the intended target. The term island hopping is inspired by a military strategy used in the Pacific theater during World War II. 

Generally, island hopping attackers pick employees, customers and smaller companies that work with the target organization, hoping that their cyberdefense will be weaker than the ultimate target. Island hopping attacks often begin through phishing exploits in which the attacker disguises themselves as a reputable entity in an email or other communication channel. Continue reading about island hopping attacks...

What is a dropper?

What is a Trojan Horse?

Stages...

• Stage 0: Entry point found - no action taken.

• Stage I: Attackers have access to or control of an individual system or limited systems.

• Stage II: Attackers have control of the broader infrastructure and are in “read-only” mode, potentially stealing data.

• Stage III: Attackers have control of the broader infrastructure and have “write” access, potentially altering data.

• Stage IV: Attackers have administrative control.  Attackers can create new means of entry as well as alter, read and steal data.

Categories...

• Category 0: Exercise Incident

• Category 1: Unauthorized Access

• Category 2: Denial of Service

• Category 3: Malicious Code

• Category 5: Improper Use

• Category 6: Investigation

CIA stands for confidentiality, integrity and availability. Each component of the triad plays an important role in maintaining data integrity...

• Confidentiality - prevents sensitive information from reaching the wrong people, while making sure that the right people have access. In terms of confidentiality, organizations need to ensure data is secure in transit and at rest. Even if data is lost or hacked, it should not be readable.

• Integrity - maintains the consistency, accuracy, and trustworthiness of data over its entire life cycle. When it comes to integrity, organizations need to ensure that personal data is accurate, complete, up to date and kept only as long as necessary.

• Availability - ensures data can be accessed by authorized people when they need it. In terms of availability, organizations also need to understand how individuals and their work could be affected if they are not able to access the data they need. 

https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

What is the CIA Triad? Confidentiality, Integrity, Availability

02 - Security (CIA) Triad 

CIA Triangle: The Core of Cybersecurity 

• KnowBe4 

• Gophish

• Ransomware overview from CISA 

KnowBe4 can be used for security awareness that goes beyond end user and administrator education .  This service is a provides security awareness training with the added benefit of simulated phishing attacks . 

Aside from KnowBe4, there are open-source resources in place to help with phishing as well .  One example is Gophish, which allows you to create dashboards and send emails to see if your recipients will actually click on phishing emails .  You can set up a phish test in just minutes .

How do you write a Warning/Alert email about Ransomware to your Users? by one2254 on Apr 8, 2017 - Spiceworks

Dear End User,

Ransomware is a type of encrypting malware that encrypts important company files and holds them for ransom. Ransoms typically range from hundreds to thousands of dollars. Cybercriminals made over $1billion dollars last year from businesses attacked by ransomware and since these cybercriminals have learned to monetize attacks; their frequency and severity of attacks will continue to grow exponentially. 

You should be aware that most ransomware attacks come in the form of an email attachment and you should exercise extreme caution when opening email attachments. Never open an attachment in an email you were not expecting to receive or that you do not recognize the sender. You should use the same caution when presented with URL's that you do not recognize or came from an unknown sender. 

With today's advanced ransomware techniques you only have to visit a website to become infected with ransomware. Let me make that clear. You DO NOT have to click anything on the website to infect the company with data encrypting ransomware. 

In 2017 alone:

• Ransomware emails spiked 6,000%

• 40% of all spam email had ransomware

• 59% of infections came from email

• 92% of surveyed IT firms reported attacks on their clients

These numbers are scary but important for you to know. As an employee of (company ABC) you are our first line of defense against ransomware. Please follow the best practices as outlined in this email to ensure you do your part to keep ransomware off the company network. Failure to do so could result in significant downtime and monetary cost to (company ABC) and we all need to be vigilant in stopping these attacks.

If you have further questions about ransomware and how you can help prevent it from infecting (company ABC)'s network; please reach out to support@companyabc.com or call the help desk at 1-555-555-5555.

Thank you,
IT Department

https://thehackernews.com/2023/01/the-fbis-perspective-on-ransomware.html

1. Turning off local passwords

2. Using secure passwords

3. Forcing the end of admin sessions

4. Configuring group policies

5. Checking privileged users' access

6. Ensuring only necessary applications are running

7. Limiting the reliance of Anti-Virus

8. Installing EDRs

9. 24 hour system admins

10. Securing vulnerable ports

11. Watching for misconfigured firewalls

Keep in mind that...

• A vulnerability is an oversight or weakness in an organization's security posture. This could include an improperly configured firewall, an unpatched OS or unencrypted data.

• A risk is the careful assessment of potential threats against the organization's vulnerabilities. For example, someone stores unencrypted data in the public cloud and human error could allow the data to be accessed or changed. This could be perceived as a significant risk for the business that must be addressed.

• A threat is something that is actually happening that the organization must defend against: DoS attack, human error, natural disasters, etc...

Useful references...

• Iranian APT Cobalt Mirage launching ransomware attacks

• US offers $10M bounty for Conti ransomware information

• New clues point to REvil ransomware gang's return   

• Nutanix Data Lens Powers Data Management and Ransomware Protection

• Ransomware Assessment Kit 

• Ransomware Education Site

• NEW & UPDATED Content Library (Executive & Technical) 

• Crowdstrike Cyber Front Lines Report

• VirusTotal

• Coveware

  • Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound      

• VMware ESXi Ransomware: What You Need to Know - vMiss.net

• US military has reportedly acted against ransomware groups

• ‘Double-Extortion’ Ransomware Damage Skyrockets 935% 

• FBI: Ransomware targets companies during mergers and acquisitions

• Biden Administration Orders Federal Agencies to Fix Hundreds of Cyber Flaws

• https://home.treasury.gov/news/press-releases/jy0471

• Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange

• https://home.treasury.gov/news/press-releases/jy0471

• Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange

• PC Security Channel - YouTube.com

• Ransomware Is a Disaster - vMiss.net

• Ransomware in 2022: We're all screwed 

• A CISO’s Guide to Prevent Ransomware Attacks 

• Majority of malware occurs via HTTPS-encrypted connections - TechSpot

• Ransomware is leading hospital boards to pour more money into cybersecurity - HealthcareITnews

• Examples: File-less attacks, Zero-day, Phishing, Malware/Ransomware, Cryptojacking, Trojans, Viruses, Bots, DDOS, Cobalt Strike, Mimikatz, Emotet, and Trickbot.

• Ransomware Defense: Top 5 Things to Do Right Now

• The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms 

• FBI identifies 16 Conti ransomware attacks striking US healthcare, first responders

• RANSOMWARE IS REAL! – EXPOSING YOURSELF VIA THE CLOUD 

• Apple’s ransomware mess is the future of online extortion -$50M

• How to protect your data from ransomware and encryption Trojans

• Conti ransomware gang suffers security breach

• FBI: Conti Ransomware Actors Exploit Healthcare, First Responder Networks 

• Ransomware attack case study: Recovery can be painful 

• NIST Ransomware Resources 

• Air-gapped backups with object storage immutability

• Best practices for reporting ransomware attacks 

• Veeam Instant NAS Recovery in v11, Malware Detection and Machine Learning

• Veeam Ransomware Prevention Kit

• Ransomware hack cripples Universal Health Services hospitals, facilities across the US

• 3 Ultimate Strategies for Ransomware Prevention

• The Essential Guide to Ransomware

• Ransomware Gang Says It's Selling Data from Cyberattack That California DMV Warned About

• Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign

• AppleJeus: Analysis of North Korea’s Cryptocurrency Malware  

• Before and After Ransomware: Preparedness and Recover

• Several hospitals targeted in new wave of ransomware attacks

• Beat ransomware: Education, Implementation and remediation with Veeam

• A Defense Strategy for Schools

• Exclusive: FBI reports flood of ransomware attacks, healthcare companies under siege 

• Prepare for the battle against Ransomware - 14:51 video

• How to protect your data from ransomware and encryption Trojans

• Ransomware gangs are now cold-calling victims if they restore from backups without paying - Tactic used since August by ransomware gangs like Sekhmet, Maze, Conti, and Ryuk. 

• One of the Internet’s most aggressive threats could take UEFI malware mainstream

• LIVE WEBINAR - Cybersecurity experts talk: The Knowledge You Need to Beat Ransomware

• Mr. Ransom Ware - The Interview - Veeam Animal - Dec 17, 2020

• Ransomware overview from CISA

• Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

• Ransomware Remediation with FlashArray SafeMode

• 5 Steps to Take in the Event of a Ransomware Attack 

•  U.S. issues warning after Microsoft says China hacked its mail server program

• Ryuk Ransomware: Now with Worming Self-Propagation 

• Post-Cyberattack, Universal Health Services Faces $67M in Losses

• Ransomware defense part 4: Deep Dive - Gabriele Pelizzari

• How cloud backups are essential to fighting ransomware - Digitalisation World

• Forward Air reveals ransomware attack, warns of revenue hit

• Identify and protect yourself against ransomware 

• Kia Reportedly Under Ransomware Attack With $20M Demand 

• CD Projekt staff reportedly locked out of computers after ransomware attack 

• Clop targets execs, ransomware tactics get another new twist 

• 10K Microsoft Email Users Hit in FedEx Phishing Attack

• Report: Some CD Projekt devs unable to work after ransomware attack 

• Ryuk ransomware now self-spreads to other Windows LAN devices 

• Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact 

• Acer reportedly hit with $50 million ransomware demand

• Quick tips for Veeam Backup Security  - Blocky for Veeam

• What about containers? Kubernetes Ransomware Protection with Kasten K10 v4.0 

• github CryptoBlocker - This is a solution to block users infected with different ransomware variants. 

FBI’s keys for protection...

• Back up data regularly.

• Verify the integrity of those backups regularly.

• Secure your backups.

• Isolate backups from the computers and networks they protect.

NOTE: Please contact Randy Lee for specifics and the presentation in its entirety. 

1. Use special credentials for backup storage/backup job.

2. Give each backup admin individual access.

3. Utilize offline storage.

4. Immutability.

5. Leverage different file systems / Protocols for backup storage.

6. Backup storage with native snapshot capabilities.

7. Let the Backup Copy Job do the work for you.

8. DR isn’t just for natural disasters.

9. Document your recovery plan.

10. Restore the minimum.

11. Veeam Backup for Microsoft Office 365 data.

12. Agents.

13. vPower® & the cloud.

14. Veeam patch management.

15. Security & network tools.

16. Users are your worst enemy.

17. Insider threats.

18. Have visibility into suspicious behavior.

19. Prepare for help.

20. Master the 3-2-1-0 Rule.