Cyber groups (Ransom Cartels), specifically target backup solutions in order to ensure that the victim has no other option except for paying the ransom. Conti group (works like a Ransom Cartel) is particularly methodical in developing and implementing backup removal techniques (on-premise and cloud). The full analysis is available here and is based on their actual proactive victim breach intelligence and subsequent incident response (not a simulated or sandbox environment). Defense-in-depth strategy is the solution and concerns your backup environment… Backups are now target number 1. Discover in this blog post the defense approach against ransomware with Veeam B&R version 12 (Ransomware & Cybersecurity with Veeam v12).
First, protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Dell EMC Cyber Recovery (air-gapped backup through a sanctuary), or Immutable (Veeam Immutable Backup feature, Retention Time Lock with ExaGrid, Object Lock with Object Storage solution such as Dell EMC ECS or Wasabi, etc.), Hardening (server, storage, OS..), maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks exploits a weakness of the Active Directory), and password hygiene, anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts without permissions (svc_veeam / svc_backup) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable.AD), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Conti without their demanded ransom money. Keep in mind backup is a building block of the cybersecurity ecosystem.
Secure Backup is your last line of defense:
- -Backup: Trusted Immutability, Backup Verification and 3-2-1-1-0 Rule.
- -Recovery: Instant Recovery at Scale, Secure Restore and DR Orchestration.
Defense-in-depth – target to hit (main Veeam targets are Veeam B&R and repositories):
Veeam B&R v12 Security news features:
- –MFA – Veeam is upping its security game by implementing Multi-Factor Authentication (MFA) and Group Managed Service Accounts (gMSA). Enable auto logoff:
- –Best Practice Analyzer – Checks RDP & Remote Registry services, Windows F/W, Immutability, MFA, and credential password protection.
Veeam One v12 Security new report:
- –Enhanced Support for VBR – Immutability – Added a brand-new report called “Immutable workloads”, which assesses the entire environment to check immutability best practices. And shows the detailed list of workloads and restore points with their immutability status.
Last advice from Veeam support:
How to recover? First 48 hours crucial:
- -CERT or INSURER: Get experts on the phone fast to assess what should be considered,
- -Forensics Expert: Assessing the damage caused by a third party and if the attacker is still in the infrastructure,
- -Law Enforcement: Make sure the correct law enforcement bodies have been notified,
- -Backup Vendor: The current state of the backups are crucial for recovery and for forensics experts to find potential entry points,
- -Partners with knowledge: Recovering from a ransomware attack is a marathon not a sprint! Make sure you help your IT departments with strong partners (such as Monaco Digital and Monaco Cyber Securité for example).
Note: Veeam has an Incident Response team named “SWAT” (very powerful) and can work with the Forensic stream while a crisis.
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] Veeam User Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.
