Aug 11

Ransomware: Save your customers with Veeam B&R!

I wanted to write an article about “Ransomware“. Basically for many months, we get calls from our customers who are infected with the virus. It is based on “cryptolocker” type. A “cryptolocker” is malicious software that spreads mostly by mail. The user receives a request for final payment inside the message (in English or French), this one contains an attachment representing the invoice…

Veeam B&R 9 Update 2

Cryptolocker?

When the user opens the attached file, the malicious code will launch and will encrypt all files that can be accessed by the user lying on the workstation itself or on the network! At the root of each folder containing encrypted files, the malware creates a “.TXT, .JPEG, or .PNG” with instructions to decrypt the files. Then, you have to access to a specific website on which you can pay the ransom in Bitcoins. So the decryption key should be send to you. The users may not get back the infected files… The fisrt thing to know is the software is a mutant virus, it means that it can change several times a year. So, you must be careful and communicate regularly with the end users!

Here is some interesting statistics on the current state of ransomware from “Security Magazine“. Lots of great (and scary) numbers to make you think, but arguably the most shocking one for me was that globally, more than 40 percent of victims paid the ransom. This could only mean almost have of the companies in the world are not backing up their critical data – or at least not doing it properly. For example, ransomware is actually one of a few cases which are a great fit for protection based on storage-based snapshots – however, I find that most people using storage snapshots don’t keep them long enough due to disk space consideration and/or storage limitations, and often spot ransomware too late – when all of the snapshots already contain encrypted data.

Save your customers with Veeam B&R!

If you don’t have a Cryptolocker backup strategy, you risk losing all your files. Worse, there are reports of people paying the ransom to get their files back, but still not receiving the deciphering key. As I was saying, user with sufficient rights can assign the shared files on the network so a “File Server”. In this case, customers are panicked, they call me and ask me for advice to define an action plan. Some people don’t think directly to Veeam B&R when the software is used in business, they are mainly focusing on security and need to run a full analysis of virus which is heavy. Others think to use granular files recovery feature without knowing how many files are impacted.

If you don’t have a Cryptolocker backup strategy, you risk losing all your files. Worse, there are reports of people paying the ransom to get their files back, but still not receiving the deciphering key. As I was saying, user with sufficient rights can assign the shared files on the network so a “File Server”. In this case, customers are panicked, they call me and ask me for advice to define an action plan. Some people don’t think directly to Veeam B&R when the software is used in business, they are mainly focusing on security and need to run a full analysis of virus which is heavy. Others think to use granular files recovery feature without knowing how many files are impacted.

In my opinion, I advise to use the “Entire VM Recovery” or “Instant VM Recovery” functionalities. Indeed, with low RPO it’s the best way to start on a clean and secured system. Believe me we saved a lot of customers from January 1, they were very satisfied about the simplicity and effectiveness of the product and that in this critical time! 😉

Infected?

Below the steps to follow when you are infected by a ransomware:

  • Disconnect all servers with network sharing files. Goal is to stop malware that continues the files encryption and basically reduce the infected area.
  • Disconnect the target workstation of the network if it has been identified. There are any solutions to identify the source. Including: A file is opened on the desktop of the user containing the payment process. In the folders containing the encrypted files, you can execute the Properties of a file and check the file owner. That allows you to identify the infected user, so the target workstation.
  • Delete the encrypted files and restore them.
  • Reinstall the workstation with a partition cleaning (don’t take any risks) and delete the message in the mailbox of the user.
  • Ransomwares are punished by law.

You can learn more about Veeam Backup & Replication 9.5 here.

 

 

Advertisement

3 pings

  1. […] Continue reading » […]

  2. […] the last word from Gotstev, he has written about ransomware story affecting a Veeam customer. No matter how similar these stories are to one another, someone […]

  3. […] & Replication 9.5 Update 3 (Veeam B&R 9.5 U3). Cause of the problem is hackers install ransomware on the production servers and deletes all backups from all backup software they find from the […]

Leave a Reply