Veeam Ransomware Best Practices

7 Practical tips to prevent ransomware attacks on backup storage

Ransomware is a real threat and it’s not just a problem with your PC. Veeam has seen customers and partners come across ransomware in many situations, including the data center. Recovering from backups is an important aspect of being resilient against ransomware. This is the level of availability you need in case things go wrong or ransomware becomes an issue in your data center. These are some tips that I have prepared for you to include in your Veeam designs. Are you not yet using Veeam? You don’t have to worry – you can follow this advice and put it into practice.

It is important to remember that no single strategy will protect your backup infrastructure against ransomware. This is a list of options that you can choose from and which you can use as you wish.

1. Backup storage can be done with different credentials

This is a good practice that can be used in all situations, but it is even more crucial in this ransomware era. It is important to keep the username context used to access backup storage secure and only used for this purpose. Other security contexts should not be able to access the backup storage except the one(s) required for actual backup operations. Please don’t use the domain administrator to do everything.

For smaller environments, some designs do not have Veeam infrastructure connected to the domain. Others connect to the domain for backup tools. This is why it is important to include authentication in your design and keep production workloads as separate as possible.

2. As part of the Availability strategy, offline storage should be considered

Offline storage is one of the best ways to protect against ransomware encryption propagation to backup storage. Veeam offers a variety of offline and semi-offline storage options.

Media Characteristics
Tape Completely offline if not being written from or read from.
Replicated VMs Powered off can be a different authentication scheme in most cases (for example, Hyper-V and vSphere hosts are on a separate domain).
Storage snapshots from primary storage These can be used to recover files and have a different authentication structure.
Cloud Connect backups It is not directly connected to the backup infrastructure and uses a different authentication method.
Rotating hard drives (rotating media) Online if not being written to.

3. Use different file systems to backup your data

Another way to stop ransomware spreading is to have different protocols. Veeam customers have been advised by me to make backups of storage that use different authentication. Backups of important things, such as domain controllers, are the best examples. If the storage that contains the backups is not an Active Directory authenticated storage resource, it can cause problems if the domain controller needs to be completely restored.

A Linux system that functions as a repository is an excellent example. Veeam backups or restores can be authenticated using Linux authentication. Ransomware spread risk is lower. Ransomware exists on other operating systems. This extra step can protect the backup storage between operating systems.

  • Data Domain deduplication appliances using DDBoost (or NFS mount when not DDBoost-enabled, though DDBoost is recommended)
  • Hewlett Packard Enterprise (HPE) StoreOnce deduplication appliances using Catalyst
  • ExaGrid deduplication appliances using the native Veeam agent
  • NFS mounts on a Linux Server that acts as a backup repository

These types will require a different security context to access the Veeam processes. They are displayed in the user interface, as shown below.

4. If possible, take storage snapshots on backup storage

Storage snapshots are what I refer to as a “semi offline” method for primary storage. However, if the storage device that holds backups supports this capability, it might be worth leveraging it to protect against ransomware attacks.

5. Use the 3-2-1-1 Rule

We at Veeam have been promoting the 3-2-1 rule a lot. No really, I mean a lot. According to the 3-2-1 rule, you should have three copies of your media on two media. This rule is ideal because it can be used to address almost any failure scenario, and does not require any special technology. It’s a smart idea to add “1” to the rule when one of the media is offline in the ransomware era. There are many options for offline storage.

To implement an offline component, you may not have to reconfigure the entire installation. These options can be added to existing designs.

. 6. Have visibility into suspicious behavior

Ransomware can spread to other systems, which is one of the greatest fears. It is important to have visibility into any ransomware activity. Veeam ONE 9.5 now has a pre-defined alarm, “Possible Ransomware Activity.” This alarm will activate if there is a lot on disk or high CPU usage.

7. The Backup Copy Job will do all the hard work

The Backup Copy Job allows you to create restore points on different storage locations and with different retention rules than the regular backup job. The Backup Copy Job can be useful in ransomware situations when the above points are taken into consideration. Many restore points can be used with it.

Backup Copy Job is capable of reading backups from a repository and creating restore points for new storage. If you choose to add a Linux server as an additional storage device to your infrastructure, the Backup Copy Job will be created.

Plan for vigilance and design for resilience

There are many ways to stop ransomware from encrypting backups. Hopefully, one of the tips above can be applied in your environment. Are you a designer with some tips for making your backup infrastructure resilient? Please share your ideas below!