7 tips to prevent ransomware attacks on backup storage Joe Marton Senior Systems Engineer joe.marton@veeam.com

Use special credentials for backup storage/backup job Tip #1: Use special credentials for backup storage/backup job

Tip #1: Use different credentials for backup storage Worst practice Worst practice using DOMAIN\Administrator for everything using DOMAIN\Administrator for everything Best practice using DOMAIN\backup-administrator (dedicated account with all corresponding privileges to complete successful backup) The username context that is used to access the backup storage should be very closely kept and used exclusively for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations. Always consider authentication in the design and implement as much separation as possible from production workloads!

Utilize an offline storage Tip #2 : Utilize an offline storage

Tip #2: Utilize an offline storage Media type Characteristic Tape Completely offline when not being written or read from Replicated VMs Powered off and in most situations can be a different authentication framework (ex: vSphere and Hyper-V hosts are on a different domain) Primary storage snapshots Can be used as recovery techniques and usually have a different authentication framework Cloud Connect backups It’s not connected directly to the backup infrastructure and uses a different authentication mechanism along with different API Rotating hard drives (rotating media) Offline when not being written to or read from Cloud Connect has different credentials but also it is not a CIFS / SMB or NFS share so very hard to be exploited by malware even with credentials exploited.

Leverage different file systems for backup storage Tip #3 : Leverage different file systems for backup storage

Tip #3: Leverage different file systems for backup storage Example: any Linux based repository (ext3, etx4, etc) with different authentication framework Dell EMC DataDomain Using DDBoost or NFS mount HPE StoreOnce Using Catalyst ExaGrid Using native Veeam agent Linux server with JBOD Using NFS mount Having different protocols involved is a good way to prevent ransomware propagation.

Take storage snapshots on backup storage if possible Tip #4: Take storage snapshots on backup storage if possible

Tip #4: Take storage snapshots on backup storage if possible Veeam Backup Server Storage Storage Volume Volume Snapshot Storage snapshots usage as a “semi-offline” technique for primary storage and the same goes for backup storage. If the storage device holding backups supports this capability it may be worth leveraging it. Backup Repository

Tip #5: Master 3-2-1-1 Rule

Tip #5: Master the 3-2-1-0 Rule Different media 3 Different copies of data 1 of which is off-site cloud Is offline No errors after backup recoverability verification The 3-2-1 rule states to have three different copies of your media, on two different media, one of which is off-site.  And it’s a good idea to add another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data.

Have visibility into suspicious behavior Tip #6: Have visibility into suspicious behavior

Tip #6: Have visibility into suspicious behavior Use monitoring software to automatically detect suspicious VM behavior Example: Pre-defined alarm “Possible ransomware activity” in Veeam ONE 9.5. This alarm triggers if there are a lot of writes on disk and high CPU utilization One of the biggest fears of ransomware is that it may propagate to other systems. Having visibility into potential ransomware activity is a big deal. Use software alerts to detect this.

Tip #6: Have visibility into suspicious behavior “Possible ransomware activity” alarm in Veeam ONE 9.5

Let the Backup Copy Job do the work for you Tip #7: Let the Backup Copy Job do the work for you

Tip #7: Let the Backup Copy Job do the work for you When the previous tips above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job. The Backup Copy Job is a great mechanism to have restore points created on different storage and with different retention rules than the regular backup job. When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job.

Tip #7: Let the Backup Copy Job do the work for you Backup Server Data Mover Service Data Mover Service VM restore point Veeam Backup Copy Job for CIFS share in action: if you have instructed Veeam Backup & Replication to automatically select the gateway server, Veeam Backup & Replication will use the Data Mover Services deployed on the backup server. If you have explicitly defined the gateway server, Veeam Backup & Replication will use the source Veeam Data Mover Service on the gateway server in the source site and target Veeam Data Mover Service on the gateway server on the target site. Source Backup Repository Gateway Server Gateway Server Target Backup Repository

US Headquarters 2520 Northwinds Parkway Alpharetta, GA 30009 678.353.2140 (Main office) 800.774.5124 (Support) 800.913.1940 (Support) Join us on: www.veeam.com