Ransomware and Veeam One

What is median dwell time? "The global median dwell time is the number of days that an attacker is in a computing environment before detection. Over the past decade, there has been a marked reduction in median dwell time, from just over one year (416 days) in 2011 to just under one month (24 days) in 2020."

"NIST SP 800-61 Detection and Analysis - Section 3.2"

Some of the following symptoms can point to an active ransomware infection in progress...

NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. With this in mind and per "NIST SP 800-61 Detection and Analysis - Section 3.2", Veeam One offers...

Veeam's Anomaly Detection for Ransomware

Enable Alarm Notifications - "Possible Ransomware Activity"

Note: Identifying potential ransomware activity with Veeam ONE - 6 min read

Note: “Possible Ransomware Activity”  alarm (CPU and Disk Writes) - 6 min read

Note: Veeam ONE 11: Working with Alarms

Enable Activity Scans - "Suspicious Incremental Backup Size"

Note: "Suspicious incremental backup size" alarm - 6 min read

Report suspicious backup file size

What are "Ransomware Canaries"?

What are Ransomware Canaries? (Click Here)

"Create an office document with a name that makes it obvious to your users that they shouldn't touch it and that will appear at the top or early in the file listing (keep in mind that ransomware usually traverses directories depth-first). Enable object auditing on the server for success events. Give the canary an SACL to monitor for success events on  create/modification/delete/takeownership/changepermissions. Create a scheduled task triggered by "Security" log event ID 4663 with "Microsoft-Windows-Security-Auditing" source, and an action that launches a powershell script with the arguments "$(SubjectDomainName)\$(SubjectUserName)" and "$(FileName)". The powershell script should check that the user is not a computer object (account name ends in "$") because the server will log itself as modifying the file before the user account does, and you may also wish to have it check the filename if you have other SACLs set up for other purposes. Have that script run the share blocking script above with a valid user, and it would also be a good idea to have it send an alert email using "Send-MailMessage"."

Anti-Ransomware File System Resource Manager (FSRM) Lists 

Note 1: “You may use the 'VM Change Rate History' and 'Job History' reports to get more information about the VM size changes and act from there. You may also want to involve the owner of the applications running on this VM to get more understanding of the situation once it's understood when exactly changes that caused the alarm to trigger happened."

Note 2: "It may be natural for a VM to have a high change rate, depending on what kind of applications are running there. In this case, you may adjust alarm thresholds accordingly or exclude that VM from the original alarm and create a separate individual alarm for it with specific thresholds."