Ransomware: Veeam and ExaGrid

ExaGrid’s Retention Time-Lock for Ransomware Recovery is in addition to the long term-retention of backup data and utilizes 3 distinct functions:

  1. Immutable data deduplication objects.

  2. Non-network-facing tier (tiered air gap).

  3. Delayed delete requests.

Insulation from Ransomware

When ransomware strikes, it is critical to have backups insulated from the malicious encryption/damage since they may be your last line of defense. ExaGrid helps insulate backups in the following ways...

  1. Comprehensive access security...

  • ExaGrid shares can be accessed only from designated backup/media servers. While those servers may also be subject to rampant ransomware, the fewer servers that have access to your backups, the better.

  • SMB signing can be enabled for ExaGrid shares, requiring Windows account credentials to be authenticated and authorized before access is granted to an ExaGrid share, further reducing the chance of malicious access to backups.

  • Veeam Accelerated Data Mover shares require a separate Veeam password and are accessible only via SSH, which also reduces the chance of malicious access to Veeam backups.

  • All accounts used to manage the ExaGrid software are protected using non-default passwords. This includes the backup “admin” account, the special ExaGrid customer support account, and root access.

  1. ExaGrid software is updated at least quarterly with the latest appropriate CVE fixes, reducing the ways ransomware can gain access to ExaGrid servers. Software may be updated more frequently as dictated by CVE severity.

  2. Each ExaGrid server runs a proper firewall and a customized Linux distribution that opens just the ports and runs just the services necessary for receiving backups, web-based GUI, and ExaGrid-to-ExaGrid replication.

  3. Communications between ExaGrid servers is secured using Kerberos authorization and authentication, protecting from a “man in the middle” attack from malicious users or software.

Ransomware Recovery – 5 Easy Steps

  1. Invoke recover mode.

    • ExaGrid’s Retention Time-Lock clock is stopped with all deletes put on hold indefinitely until data recovery operation is complete.

  2. The backup administrator can carry out the recovery using the ExaGrid GUI, but since this is not a common operation, we suggest contacting ExaGrid customer support.

  3. Determine time of the event so you can plan the restore.

  4. Determine which backup on the ExaGrid completed deduplication before the event.

  5. Perform restore from that backup using the backup application (Veeam).

Additional Information (click here)...

ExaGrid advantages are:

  1. Long term-retention is not impacted and retention time-lock is in addition to the retention policy.

  2. Immutable deduplication objects cannot be modified, changed or deleted (outside of the retention policy).

  3. Manage a single system instead of multiple systems for both backup storage and ransomware recovery.

  4. Unique second Retention Tier that is only visible to ExaGrid software, not to the network – (tiered air gap).

  5. Data is not deleted as delete requests are delayed and therefore ready to recover after a ransomware attack.

  6. Daily, weekly, monthly, yearly, and other purges still occur, but are simply delayed, to keep storage costs in line with the retention periods.

  7. Requires up to an additional 2% to 10% of repository storage.

  8. Storage does not grow forever and stays within the backup retention period set to keep storage costs down.

  9. All retention data is preserved and is not deleted.

Useful links...