7 Practical Tips To Prevent Ransomware Attacks on Backup Storage
The ransomware threat is real and it’s much more than just a PC problem. Here at Veeam, we see customers and partners encounter ransomware in a number of situations including the data center. One important part of being resilient to ransomware is being able to recover from backups. That’s the Availability you want when things don’t go as planned, should ransomware become an issue in your data center. Here are a number of tips I’ve prepared to incorporate into your designs, both new designs and existing designs using Veeam. Not using Veeam yet? No worries, you can take this advice and implement it accordingly.
Additionally, it’s important to note that there is no one-size-fits-all strategy to protect your backup infrastructure from ransomware. The goal here is to provide options which you can implement as you see fit.
Use different credentials for backup storage
This is a generic best practice and in the ransomware era it’s more important than ever. The username context that is used to access the backup storage should be very closely kept and used exclusively for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations. Whatever you do, please don’t use DOMAINAdministrator for everything!
Some designs have the Veeam infrastructure not joined to the domain (for smaller environments) and for larger environments joined to a domain dedicated for tools like backup. The takeaway here is to consider authentication in the design and implement as much separation as possible from production workloads.
Have offline storage as part of the Availability strategy
One of the best defenses against propagation of ransomware encryption to the backup storage is to have offline storage. There are a number of offline (and semi-offline) storage options for Veeam, explained below:
|Tape||Completely offline when not being written or read from.|
|Replicated VMs||Powered off and in most situations can be a different authentication framework (for example, vSphere and Hyper-V hosts are on a different domain).|
|Storage snapshots of primary storage||Can be used as recovery techniques and usually have a different authentication framework.|
|Cloud Connect backups||It’s not connected directly to the backup infrastructure and uses a different authentication mechanism.|
|Rotating hard drives (rotating media)||Offline when not being written to or read from.|
Leverage different file systems for backup storage
Having different protocols involved can be another way to prevent ransomware propagation. I have long advised Veeam customers to put some backups on storage that uses different authentication. The best examples here are backups of critical things like a domain controller. In the unlikely event that a domain controller would need to be fully restored, there can be an issue if the storage containing the backups is an Active Directory authenticated storage resource.
The good example here is a Linux system functioning as a repository. This authentication for Veeam backups and restores can be made over Linux authentication and by using a different file system (ext3, ext4, etc.) the propagation risk of ransomware is reduced. Ransomware does exist on other operating systems, to be clear. This additional step however can be a protection for the backup storage between operating systems.
Here are a few examples of backup storage using different file systems (and different authentication):
- Data Domain deduplication appliances using DDBoost (or NFS mount when not DDBoost-enabled, though DDBoost is recommended)
- Hewlett Packard Enterprise (HPE) StoreOnce deduplication appliances using Catalyst
- ExaGrid deduplication appliances using the native Veeam agent
- NFS mounts in a Linux Server functioning as a backup repository
These types will use a different security context for access by the Veeam processes, they are shown in the user interface as shown below:
Take storage snapshots on backup storage if possible
Storage snapshots were mentioned above as what I call a “semi-offline” technique for primary storage, but if the storage device holding backups supports this capability it may be worth leveraging to prevent ransomware attacks.
Start using the 3-2-1-1 Rule
Have visibility into suspicious behavior
One of the biggest fears of ransomware is that it may propagate to other systems. Having visibility into potential ransomware activity is a big deal. In Veeam ONE 9.5, there is a new pre-defined alarm called “Possible ransomware activity.” This alarm will trigger if there are a lot of writes on disk and high CPU utilization.