Ransomware and Veeam
"The destructive power of complacency."
"By 2025, at least 75% of IT organizations will face one or more attacks, as free-rein researchers document a dramatic increase in ransomware attacks during 2020, pointing to sevenfold or higher rates of growth." - Gartner
"Backup security. Forty-three percent of respondents said they felt very concerned about their backups suffering infection or corruption following a ransomware attack, and an additional 44% said they were somewhat concerned. Less than half (49%) said their organization takes extra measures to protect all backup copies." Source
Global estimated damages from Ransomware attacks...
Attack rate in 2016 - 40 seconds
Attack rate in 2019 - 14 seconds
Attack rate in 2021 - 11 seconds
147% annual increase in associated losses from Ransomware attacks.
"96% of Veeam customers cut their average ransomware recovery costs under $5,000. 76% of Veeam customers have to spend NOTHING AT ALL" - Cybercriminals are notoriously responsive to defenses which cut into their profitability!!
"Don't wait for the problem to be a problem!"
Please SCROLL DOWN for "Ten tips to prevent ransomware attacks using Veeam."
Important Ransonware information (Click Here)
"Ransomware works by encrypting user's files through asymmetric encryption methods. The attacker then demands money in exchange for decrypting the files. There are several ways ransomware can attack and encrypt files, with varying degrees of complexity."
What is ransomware? - 6 min read
"On average, there is a ransomware attack every 11 seconds. 51% of victims pay the ransom at an average of $200K per attack, amounting to $20B in total cost." (source)
“In North America, ransomware attacks affected nearly 7-in-10 companies in 2020” (source)
"Bad Rabbit is a 2017 ransomware attack that spread using a method called a 'drive-by' attack, where insecure websites are targeted and used to carry out an attack. .Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection." Five of the most significant ransomware attacks in 2020 include: Maze, REvil, Ryuk, Tycoon, NetWalker.
How do I get Ransomware?
"There are several different ways that ransomware can infect your computer. One of the most common methods today is through malicious spam (or malspam), which is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents."
Recover from a ransomware attack in Microsoft 365 - "Step 1: Verify your backups"
What's the trend for Ransomware?
"According to Trend Micro, computer criminals continue to show an interest in ransomware, as well as cheap offerings associated with deepfake services on underground web marketplaces. Malwarebytes noted that malicious actors could ultimately combine these two threats together into “deepfake ransomware” attacks". Aug 4, 2020
What percentage of people pay the ransom?
"In 2018, 39 percent of ransomware victims paid the ransom. In 2019, that number rose to 45 percent. Today, as many as 58 percent of ransomware victims, from every industry, have paid ransom. Apr 3, 2020"
Can Ransomware be removed?
"Every filecoder has its own method of encryption, which means you can't simply remove it like other forms of malware. To avoid being studied and decrypted, most ransomware programs delete themselves after a set period of time. Sep 25, 2019"
Ransomware is attacking NAS data – are you prepared? - 6 min read
3 storage options against ransomware - 3 min read
Winning the War on Ransomware in H2 2020 - 26:24 video
Three Ultimate Strategies for Ransomware Prevention - 1:02:55 video - Rick Vanover
So what is the key lesson Mendoza would say that other organizations need to take away from Spectra Logic's experience? "You've got to limit your attack blast radius. Backup your data in multiple locations on multiple mediums and the key is to air-gap it. Whether it's physical air-gap or virtual air-gap, you've got to put a wall between an attack and your data," he said."
NIST: An Introduction to the Components of the Framework
TEN tips to prevent ransomware attacks using Veeam
Your Ransomware plan needs to be provable, documented, reliable, AND tested.
See The 3-2-1 rule for ransomware protection - 7 min read
See Fight Ransomware with Veeam 10 Immutability Feature - by vladan.fr - 6 min read
Hardened Backup Repository - 12 min read
Note: Look for "Hardware-integrated Veeam Immutability" for information on Cisco, HPE, NetApp, Pure, etc...
Principle of Least Privilege (POLP) - Only authorized users should have permissions to access backups and replicas on target servers. - 2 min read
What is Microsoft tiering model? - "The Microsoft tiering model (Tier 0, 1, and 2) defines three tiers that create buffer zones to separate administration of high-risk PCs and valuable assets like domain controllers." - 2 min read
2FA: Two-Factor Authentication on Veeam Components / Perhaps YubiKey (Yubico Quiz), FIDO U2F, or Duo? - 3 min read - Note: Recommend disabling SMS/call authentication options in your 2FA solution, in favor of using an authenticator app on a smartphone.
VBR Required Permissions - Planning and preparation. - 15 min read
Both Encryption and Infrastructure Hardening ("Protect") - Topics: "Protect"-"Hardening"-"Secure by Design"-"Remove Unused Components"-"Console Access"-"Roles and Users"-"Required Permissions"-"Encryption"-"Backup and Replication Database"-"Segmentation"-"Visibility"-"Recovery Strategy" - 15 min read
Schedule Configuration Backups - Periodic configuration backups reduce the risk of data loss and minimize the administrative overhead if any problem with backup servers occurs. - 2 min read
This chapter provides practical advice to help administrators to harden their infrastructure. It follows security best practices so that customers reduce chances of being compromised.
Security Considerations - No (or extremely limited) access to the Internet to inhibit introduction of ransomware. - 5 min read
Encryption Best Practices - "To guarantee the flawless process of data encryption and decryption, consider these recommendations." - 5 min read
Veeam KB1999 - "How to configure antivirus exclusions to prevent interaction with Veeam Backup & Replication" - 5 min read
"Possible Ransomware Activity"
What is median dwell time? "The global median dwell time is the number of days that an attacker is in a computing environment before detection. Over the past decade, there has been a marked reduction in median dwell time, from just over one year (416 days) in 2011 to just under one month (24 days) in 2020." - 2 min read
"Suspicious Incremental Backup Size"
Automated step to scan the backup for malware
IRE - Isolated Recovery Environment - "The IT organization must build an isolated recovery environment (IRE), in which applications and data can be restored, but remain isolated from external actors that might seek to trigger malware that was restored with application. This IRE will also include a variety of malware scanners that detect malware based on signatures or through more advanced behavioral detection methods that use AI/ML to scan for activity that might indicate malware activity." - NOTE: See SureBackup
See Brad Linch: 5 Ways Veeam Provides Ransomware Protection - 8 min read
Veeam Backup & Replication allows you to scan machine data with antivirus software before restoring the machine to the production environment. During secure restore, Veeam Backup & Replication mounts disks of the machine that you plan to restore to the mount server.
How Secure Restore Works - Not all systems have full AV, malware protection. - 10 min read
Use cases: Data mining, classification, security analysis, eDiscovery, data forensics
"IRE": "Isolated Recovery Environment" (See number 6 above)
"Scanning backup files to assess their health and recoverability is crucial and something Gartner recommends as part of their Isolated Recovery Environment for backup vendors. Verifying backups to ensure no known vulnerabilities get re-injected into the production environment during restores can be a massive timesaver."
See Reuse your data with the new Data Integration API - 4 min read
Example: Exagrid's Native Veeam Data Mover. - 4 min read
...AND be sure to protect your Microsoft Office 365 against a BEC ("Business Email Compromise") with VBO.
24:35 video from Angelbeat entitled Ransomware and NIST Cybersecurity Framework with Veeam
Great read from Brad Linch:
How Should Companies Handle Ransomware? - Aug 25 2022 - 6 minute read
The next wave of Ransomware - Sep 14 2022
Alignment of Backup within Cyber Preparedness - 4 minute read
12 simple questions to assess your current ransomware prevention and recovery risks (in less than 10 minutes.)
Попробуйте этот странный трюк, который ненавидят русские хакеры (Click Here)...
Try this one weird trick Russian hackers hate...
"In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick."
"Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install."
“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”
"To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend."
Here are few recommendations for remediation that should be at your disposal should a ransomware incident happen... (Click Here)
Veeam Support: There is a special group within the Veeam support organization that has specific operations to guide customers through data restores in ransomware incidents. You do not want to put your backups at risk; they are critical to your ability to recover.
Communications first: In disasters of any type, communication becomes one of the first challenges to achieve. Have a plan for how to communicate to the right individuals out-of-band. This would include group text lists, phone numbers or other mechanisms that are commonly used for on-call mechanisms but expanded for an entire IT operations groups.
Experts: Have a list of security, incident response, identity management, etc. experts that are ready to be contacted if needed. They can be within the organization or external experts. If a Veeam service provider is used, there are additional value adds to their base offering that can be considered (such as Veeam Cloud Connect Insider Protection). Chain of decision: One of the hardest parts of recovering from a disaster is decision authority. Who makes the call to restore, to fail over, etc.? Have business discussions about this beforehand.
Ready to restore: When the conditions are right to restore, implement additional safety checks before putting systems on the network again. Part of those tips are explained earlier in this document but additional steps can include restoring with network access disabled for a final check.
Restore options: Depending on the situation, maybe a whole VM recovery is best. Possibly a file-level recovery makes sense. Familiarity with your recovery options will help greatly.
Restore safely: As explained earlier, Veeam Secure Restore will trigger an antivirus scan of the image before the restore completes. Use the latest anti-virus and malware definitions and perhaps an additional tool to ensure a threat is not reintroduced.
Force password resets: Users don’t like this but implement a sweeping forced change of passwords. This will reduce the threat propagation surface area.
QUESTION: Pre-authorization (CRITICAL): Do you have authority (pre-authorization) to take action in the event of a cybersecurity incident?
"THE WORD FROM GOSTEV" - Sun 2/13/2022 - 5:50 PM... (Click Here)
SVP, Product Management at Veeam Software.
The guy behind Veeam Backup & Replication.
"I've spent many years now advocating for the usage of air-gapped (offline) or immutable backup storage in these newsletters - and I'm happy to see many customers now rushing to implement this best practice. Our support big data indicates that the number of such installs nearly doubled in the last less than 2 years, thanks to heightened ransomware concerns in particular. But for me, it also means that I can reduce ringing this same bell and change the tune to covering a bit different scenario: "We have a solid backup strategy. What else should we do now – and what do we do when the attack actually happens"? I hope that sharing what I learnt from the customers who've been through this will help better prepare everyone to face the same, as unfortunately the reality is such that it's unavoidable for most of us.
First, do the following as soon as possible:
If you do not have a cyber insurance yet, get it now. There are many good reasons to do so, but the most important one is extremely unobvious: without a cyber insurance, you will have a big trouble finding good recovery specialists to help you, as all the decent ones are now employed by the cyber insurance organizations. Just think how bad the staff shortage in the cyber-security industry is since the raise of ransomware, and what level of expertise will you be able to find on a short notice as a result.
Think through the reserve communication channels: cell phones and failback email (something completely external like Gmail). You will need something to communicate with vendors like Veeam, but your usual telephony and email systems will likely be down. So ensure that the reserve communication channels are registered with your IT vendors, otherwise you may not even be able to open a support case on behalf of your company.
Plan where are you going to restore your environment to following an attack. I've now seen it more than once when customers were caught with their pants down by police confiscating their production storage systems as evidence. So they had good backups, but no hardware to restore them to. And since getting new hardware will take forever due to the current supply chain issues, while having a spare hardware just sitting there is not something many can afford, restoring your environment to cloud IaaS may literally be the ONLY option. Veeam enables you to restore directly to AWS/Azure/GCP, and some of our Veeam Cloud Connect service providers can restore your backups into their data center too – but be sure to test the entire process so that there are no surprises. This will also force you to put all the required networking in place and not waste time on this later.
Once you become aware of the on-going attack:
Take everything potentially affected offline to minimize damage. While painful, it's no longer just about your production data being encrypted: hackers may be streaming your critical production data out of the environment, and this will enable them to threaten you with its disclosure later.
Open support cases with your critical infrastructure vendors, including Veeam. You will likely need assistance from all of them in due time. When you open a case, do remember to mention how you can be reached. Most folks forget to do this in a heat of the moment, making our SWAT team unable to contact you due to all your systems being down.
Do NOT just go restoring your backups. The intrusion usually happens a few weeks before the actual attack, so there's rarely a point in mass-restoring your most recent backups. Unless you're fine wasting time restoring your environment to the state where the sleeping ransomware is already present and/or the threat actor already has remote access with high privileges (plus multiple well-hidden fallback options for when you start disabling or changing passwords for known admin accounts).
Set realistic expectations with the executive team: full recovery may take a long while. In one recent example of an actual attack, the customer had solid Veeam backups but it took the security specialists assigned by the cyber-insurance company 2 weeks to reconstruct what happened before they even allowed to start restoring those backups! And in particular, they found that ransomware has penetrated the environment for 4 weeks before the actual encryption attack!
Only after the attack is fully understood, the recovery of recent backups can start and it will always be staged. First, each machine is restored into a quarantine environment where the actual cleaning from the determined threats takes place. In addition, each machine is scanned by multiple advanced security tools to ensure there are no other sleeping threats. Only after all of this is done, the cleaned up machine state is moved into the production environment. Those of you who know Veeam well are probably jumping out of their seats right now because it all sounds waaaay too familiar and is exactly how our Staged Restore works, right? You're correct, but...
This will be the moment when your earlier backup storage selection process flashes before your eyes, as slow backup storage will not let you do any of that magic. This is why we suggest using small but fast primary backup repositories! Otherwise, in one other recent attack, the customer in the end chose to perform entire VM restore of each VM from their deduplicating backup storage target into an isolated lab with all-flash array first, do the cleaning and scanning there, and then move processed machines to the production storage. Even if this meant effectively performing an entire VM restore twice, it was still way faster than running VMs from backup on dedupe storage. While entire VM restore from dedupe storage is actually quite fast with Veeam, because we use "sequential reads > random writes" approach to get a decent restore performance (as dedupe appliances are optimized for sequential I/O)."
What is the "Internet Crime Complaint Center IC3"? (Click Here)
You should file a complaint with the IC3 if you believe you have been the victim of an Internet crime or if you want to file on behalf of another person you believe has been such a victim.
"IC3's purpose is to serve as a central hub to receive, develop, and refer criminal complaints regarding the rapidly expanding occurrences of Internet crime. The IC3 gives victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet. IC3 develops leads and notifies law enforcement agencies at the federal, state, local and international level."
Companies can also contact their local FBI field office. It will ask for the following information...
Date of Ransomware attack
How the infection occurred
Amount paid, if any
The ransomware variant
Information about your company, such as industry, size, etc...
Victim impact statement; and
Losses due to the ransomware attack.
What are the "US-CERT Federal Incident Notification Guidelines"? (Click Here)
Companies can also report ransomware to CISA. Like reporting to the FBI, CISA has specific ransomware reporting requirements...
"Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the NCCIC/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In some cases, it may not be feasible to have complete and validated information for the section below (Submitting Incident Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification and report updated information as it becomes available. Events that have been found by the reporting agency not to impact confidentiality, integrity or availability may be reported voluntarily to US-CERT; however, they may not be included in the FISMA Annual Report to Congress."
"The Cybersecurity and Infrastructure Security Agency (CISA) is a standalone United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD). CISA was established on November 16, 2018 when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018."
Identify the current level of impact on agency functions or services.
Identify the type of information lost, compromised or corrupted.
Estimate the scope of time and resources needed to recover from the incident.
Identify when the activity was first detected.
Identify the number of systems, records and users impacted.
Identify the network location of the observed activity.
Identify point of contact information for additional follow-up.
Video: Dealing with a Ransomware Attack: A full guide... (Click Here)
There are two main types of ransomware: locker and crypto ransomware, each with many variants (Click Here)...
Locker Ransomware: It works by preventing system administrators from reaching their systems by denying access to computing resources, and then demanding a ransom to regain access. Imagine a cybercriminal changing the administrator and root passwords in your corporate servers or cloud servers.
Crypto Ransomware: it works by encrypting the organization’s data, taking it hostage until the victim pays the ransom and obtains the decryption key from the attacker; otherwise, data is destroyed. Crypto ransomware is the most dominant threat and the focus of this article.
Island hopping, also called leapfrogging or pivoting, is a cybersecurity exploit in which an attacker gains access to an intended target by initially exploiting the employees and supply chain partners who have access to the target's network.
In this type of lateral attack, the threat actor exploits a weakness downstream from the actual target and uses it as a launching point to reach the intended target. The term island hopping is inspired by a military strategy used in the Pacific theater during World War II.
Generally, island hopping attackers pick employees, customers and smaller companies that work with the target organization, hoping that their cyberdefense will be weaker than the ultimate target. Island hopping attacks often begin through phishing exploits in which the attacker disguises themselves as a reputable entity in an email or other communication channel. Continue reading about island hopping attacks...
Ransomware Attacker Stages (Click Here)...
Stage 0: Entry point found - no action taken.
Stage I: Attackers have access to or control of an individual system or limited systems.
Stage II: Attackers have control of the broader infrastructure and are in “read-only” mode, potentially stealing data.
Stage III: Attackers have control of the broader infrastructure and have “write” access, potentially altering data.
Stage IV: Attackers have administrative control. Attackers can create new means of entry as well as alter, read and steal data.
Category 0: Exercise Incident
Category 1: Unauthorized Access
Category 2: Denial of Service
Category 3: Malicious Code
Category 5: Improper Use
Category 6: Investigation
CORE TO SECURITY: The CIA triad is a guiding principle that many organizations use to create their information security policies, processes and procedures... (Click Here)
Great ways to safely simulate and assess the risk of phishing success... (Click Here)
KnowBe4 can be used for security awareness that goes beyond end user and administrator education . This service is a provides security awareness training with the added benefit of simulated phishing attacks .
Aside from KnowBe4, there are open-source resources in place to help with phishing as well . One example is Gophish, which allows you to create dashboards and send emails to see if your recipients will actually click on phishing emails . You can set up a phish test in just minutes .
How do you write a Warning/Alert email about Ransomware to your Users? (Click Here)
How do you write a Warning/Alert email about Ransomware to your Users? by one2254 on Apr 8, 2017 - Spiceworks
Dear End User,
Ransomware is a type of encrypting malware that encrypts important company files and holds them for ransom. Ransoms typically range from hundreds to thousands of dollars. Cybercriminals made over $1billion dollars last year from businesses attacked by ransomware and since these cybercriminals have learned to monetize attacks; their frequency and severity of attacks will continue to grow exponentially.
You should be aware that most ransomware attacks come in the form of an email attachment and you should exercise extreme caution when opening email attachments. Never open an attachment in an email you were not expecting to receive or that you do not recognize the sender. You should use the same caution when presented with URL's that you do not recognize or came from an unknown sender.
With today's advanced ransomware techniques you only have to visit a website to become infected with ransomware. Let me make that clear. You DO NOT have to click anything on the website to infect the company with data encrypting ransomware.
In 2017 alone:
Ransomware emails spiked 6,000%
40% of all spam email had ransomware
59% of infections came from email
92% of surveyed IT firms reported attacks on their clients
These numbers are scary but important for you to know. As an employee of (company ABC) you are our first line of defense against ransomware. Please follow the best practices as outlined in this email to ensure you do your part to keep ransomware off the company network. Failure to do so could result in significant downtime and monetary cost to (company ABC) and we all need to be vigilant in stopping these attacks.
If you have further questions about ransomware and how you can help prevent it from infecting (company ABC)'s network; please reach out to firstname.lastname@example.org or call the help desk at 1-555-555-5555.
CLICK HERE additional information on Ransomware...
Keep in mind that...
Prepare for the battle against Ransomware - 14:51 video
Ransomware gangs are now cold-calling victims if they restore from backups without paying - Tactic used since August by ransomware gangs like Sekhmet, Maze, Conti, and Ryuk.
Mr. Ransom Ware - The Interview - Veeam Animal - Dec 17, 2020
What about containers? Kubernetes Ransomware Protection with Kasten K10 v4.0
github CryptoBlocker - This is a solution to block users infected with different ransomware variants.
FBI’s keys for protection...
Back up data regularly.
Verify the integrity of those backups regularly.
Secure your backups.
Isolate backups from the computers and networks they protect.
NOTE: Please contact Randy Lee for specifics and the presentation in its entirety.
Use special credentials for backup storage/backup job.
Give each backup admin individual access.
Utilize offline storage.
Leverage different file systems / Protocols for backup storage.
Backup storage with native snapshot capabilities.
Let the Backup Copy Job do the work for you.
DR isn’t just for natural disasters.
Document your recovery plan.
Restore the minimum.
Veeam Backup for Microsoft Office 365 data.
vPower® & the cloud.
Veeam patch management.
Security & network tools.
Users are your worst enemy.
Have visibility into suspicious behavior.
Prepare for help.
Master the 3-2-1-0 Rule.