Detection & Response to Ransomware with Veeam

Learn how Veeam helps customers and partners detect and respond to ransomware with Veeam B&R and Veeam One. This blog post covers reports and alerts that can be leveraged if ransomware strikes. With insights for VBR, as well as VMware vSphere and Microsoft Hyper‑V, Veeam ONE delivers deep, intelligent monitoring, reporting and automation through interactive tools, identifying and resolving real customer problems before they begin.



Veeam has a three tiered approach to helping companies identify the best point-in-time (PIT) to recover from:

  • Identify suspicious behavior on the actual production VMs (VMware and Hyper-V),
  • Identify anomalies in the underlying backup files,
  • Automatically scan backup files before restoring machines into production.

Identifying Suspicious Behavior on the VMs:

Making sure there is a recoverable backup is just one step (identifying the safe assets), but it is also important to monitor the entire environment for suspicious or unusual activity. Veeam goes beyond just looking at the backup data for anomalies. It looks at the hypervisor and network level as well. These higher-than-normal writes on disk or CPU utilization could be a sign that ransomware infected the machine. The goal of the alarm is to pinpoint the machine that is potentially infected before it can propagate to other systems.


The key to this alarm is the historical view though. This is useful to help identify when ransomware potentially took place and which backups are a good place to start for recovery.


Identifying Anomalies in Backups:

Veeam’s Suspicious Backup File Size Analyzer lives up to the name. This alarm identifies patterns in your backup data. It analyzes backups to look for large number of file and block changes to the data. If an anomaly is detected an alert is sent to the system administrators.


This alarm can be easily integrated into the main Veeam console thanks to a script created from Steve Herzig. If an anomaly is detected it will show in the job statistics.


Simply take the script from github and place it in the post-script section of your backup jobs. Specify how many previous PITs you’d like it to analyze in the “Depth” field and what amount of growth would be considered suspicious in the “Growth” field.


These first two steps give the business a good idea which PITs to recover from. Without these steps ransomware is the worst kind of disaster because countless hours or even days are spent manually identifying when to recover from.

Automatically Scan Backups Before Restoring:

Lastly, whether is it proactively or reactively scanning backups for malware, Veeam can scan backup files prior to restoring machines into production. If malware is found you can either abort the recovery or restore without attaching a network for deeper forensics.


Defense-in-depth – target to hit:

First, respect this rule: 3-2-1-1-0 (with Trusted Immutability, one Offline Backup, and Backup Verification).

Second, protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Dell EMC Cyber Recovery (air-gapped backup through a sanctuary), or Immutable (Immutable Backup feature, Retention Time Lock with ExaGrid, Retention Lock with Dell EMC DataDomain, Snapshot feature in Quantum’s DXi appliance, HPE StoreOnce with Data Immutability, Object Lock with Object Storage solution such as Dell EMC ECS or DataCore SWARM, or Wasabi, etc.), Hardening (server, storage, OS..). Enabling snapshot protection such as Pure Storage Safe Mode or Dell EMC Secure Snap. Maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks exploits a weakness of the Active Directory), and password hygiene, take care of your Local Accounts & segment your passwords into different Passwords Management tools (especially local accounts and CISO/Security Officer accounts). Enabling double-authentication on the management interface (storage hardware, appliances, etc.). Never leave your Password Management tool open on your workstation, and never store it on the Filer Servers. Protect your NTP. Anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts without permissions (svc_backup and with all backup vendors) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable.AD), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Pay successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Pay without their demanded ransom money. Keep in mind backup is a building block of the cybersecurity ecosystem.

It is still worth trying to check more backup files, but it’s only about the time needed for getting the headers and checking them with a chance something can be restored from there, and time that can be used to rebuild that infrastructure.

You can get headers of multiple files, Backup solution vendor can check all of them.


Offline versus Immutable Backups: Blog Post
Cuba ransomware and Veeam CVE-2023-27532: Blog Post
Akira ransomware infection routine: Blog Post
2023 Ransomware Trends Report
Play ransomware infection routine: Blog Post
New Veeam v12 Platform Overview: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:

Enjoy this blog? Please spread the word :)