This week Veeam announces a new security technology focused on Veeam Cloud Connect that they will be released as a part of Veeam Backup & Replication 9.5 Update 3 (Veeam B&R 9.5 U3). Cause of the problem is hackers install ransomware on the production servers and deletes all backups from all backup software they find from the convenience of its user interface. Most of them are actually well aware what to look for on the network – many admit in their exchange with the victim that they specifically look for servers running Veeam and other well-known backup software, and they use quite sophisticated network analysis tools to find those on the network. They also rarely stop at the main data center alone, looking for any saved public cloud credentials to destroy the entire Amazon or Azure environments along with all their snapshots and replicas. Here’s a guide to protect your Backup Server…
Anton said that pretty much every impacted customer had to pay the ransom, and they all asked them the same question: “How Veeam can help us to prevent from happening in future?” First, usual story about the importance of air-gapped backups as the ultimate protection – and different means of achieving those (rotated drives for small environments, tape or storage with write protection embedded in hardware for larger shops). I already used “rotated drives” process for small customers and this really works. However, many Veeam’s customers were demanding automation of off-site backups, because they wanted to completely remove the human factor and not have to deal with physical security issues of the manual off-siting process. This was what pushed Veeam to add Veeam Cloud Connect functionality, along with source side encryption and built-in WAN acceleration and this functionality had tremendous success. But the one essential feature that Veeam Cloud Connect did not provide is some sort of air-gap, thus still leaving an insider the opportunity to just fire up the Veeam console and delete all those off-site backups sitting in the service provider environment! And this is exactly what Veeam is addressing in the upcoming update.
New protection feature:
Starting Veeam B&R Update 3, Veeam Cloud Connect Service Providers will have an option to enable new “insider protection” functionality on tenant account. The concept is pretty simple, all deleted backup files are a first step to the “recycle bin” folder for the set amount of days – while from holding perspective, they appear actually deleted and not consuming the storage quota. This functionality protects tenants from both straightforward deletions of all backups from the Veeam console, as well as more sophisticated attack via reducing the job retention policy and running a few incremental backups on already encrypted production back-ups backup (GFS full backups though). Note: backup files remain “online” in the recycle bin and in theory an additional insider in the service provider environment.
About Data Recovery:
Basically, recovery steps when from a tenant perspective when backups are completely gone from the Veeam console is simple. You need to call your Service Provider and ask your backups to be moved from the recycle bin back to your cloud repository folder. This process is actually very similar to how backup seeding is performed, so most service providers are already well versed with one. More importantly, with this new capability, Veeam Service Providers will be “protecting your data from yourself” so to speak – because unlike with “do it yourself” cloud backup approaches, you can’t possibly access the back-end environment where your backup files reside, as is the case with any repositories that you set up and manage yourself. Now waiting for Veeam Backup and Replication 9.5 Update 3! 🙂
Ransomware – Protect your Backup Server Guide!
Ransomware: Save your customers with Veeam B&R!
Need to deploy Veeam B&R 9.5 Update 2 Follow this guide!
You can learn more about Veeam Backup & Replication v10 here.