What Veeam is doing to help protect you from ransomware like WannaCry
Veeam Agent for Microsoft Windows
.
WannaCry Outcry
This week ransomware got even nastier, with a new levels of proliferation. Being around a bunch of storage and availability experts this upcoming week at VeeamON is great timing, should make for some interesting conversations, even if this particular attack is mostly hitting older versions of Windows.
Not sure what this WannaCry is? First, have a look at the Wikipedia page:
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.
...
WannaCry is believed to use the EternalBlue exploit, which was put into open access by Wikileaks, and was allegedly developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems.
Next, have a brief listen to Patrick Norton on May 12th's DTNS here, while reading:
-
WCry is so mean Microsoft issues patch for 3 unsupported Windows versions
Decommissioned for years, Windows XP, 8, and Server 2003 get emergency update.
May 13 2017 by Dan Goodin at Ars Technica - Massive ransomware attack hits UK hospitals, Spanish banks
Ransomware attack appears to be targeting institutions in several European countries.
May 12 2017 by Sebastian Anthony at Ars Technica
What is Veeam doing to help you protect yourself?
Blunt blog posts
What does VEB (Veeam Endpoint Backup FREE) try to do, to mitigate the risk? First and foremost, they hit the topic head-on here:
- Avoid data loss: Veeam Endpoint Backup vs. CryptoLocker
Sep 14 2015 by Mike Resseler at Veeam - 7 Practical tips to prevent ransomware attacks on backup storage
Dec 05 2016 by Rick Vanover at Veeam
Backup to removable hard disk
Next, there's VEB 1.5's introduction of automatic detachment of a USB drive when done, see:
- Veeam Endpoint Backup FREE 1.5 is here!
Mar 17 2016 by Mike Resseler at Veeam
My use case is backing up a distant uncle's laptop, where there is no network share or NAS to back up to. Instead, he's using a local USB attached hard drive. This sort of backup method is a nice start, but it has its limitations, see VEB 1.5: Eject removable storage & no need to unplug:
by Gostev » Thu Mar 24, 2016 6:44 pm
From what I remember, we planned and even implemented the option to auto-mount, but mounting did not work reliably enough for including this feature into the release, and the issue was not due to our bugs (there's very little code required anyway). May be Dima can provide more details on what exactly did not work.
When automatic USB disconnect is enabled, VEB 1.5 requires the user to physically unplug then plug in again after each backup for the next backup to happen.
I've also been experimenting with auto-VPN reconnect for one of my VEB-on-Dell-XPS15-equipped sons away at college, but recent data caps implemented by Cox here in Connecticut make such personal cloud schemes challenging. Argh. Even better would be scheduled VPN used just for backup windows, see more product feedback/ideas here.
Backup to network share
Then there's VEB's approach to network shares/CIFS/SMB, explained by Anton Gostev Feb 24 2016 here:
Backup from VEB to Veeam backup repository is done through the proprietary protocol. There is no need to open up ports for SMB traffic between EP client and VBR server, as SMB traffic only flows between the gateway server specified in shared folder repository setting, and the share. While source data mover (running on the endpoint) and target data mover (running on the gateway server) chat with each other using the proprietary protocol. So, you're safe until someone builds CryptoLocker that is specifically designed to attack Veeam repositories.
Veeam Agent for Microsoft Windows
Next up, it's the renamed and updated new version, still free, see:
with Anton Gostev's forum announcement here, will have to see what changes are made when that becomes GA very soon.
Veeam Repositories
Finally, there's Veeam Availability Suite including Veeam Backup & Replication, which VEB and Veeam Agent physical systems can use as a backup target. Seems to offer the same advantages of avoiding SMB attacks, and allows centralized daily backup management.
I'm sure ransomware will work its way into multiple presentations that I'm headed to this week.
Closing thoughts
Ultimately, it's up to you, the IT Pro typically holding the responsibility for trying to keep your family and friends reasonably safe. That's quite a challenge. At least Veeam is trying to help you in this difficult task, and offers IT Pros the needed bits to test for themselves, with no time-bomb.
May 14 2017 Update
Check out this excerpt from Anton Gostev's famous weekly newsletter that came out on May 14 2017:
Veeam Community Forums Digest May 8 - May 14, 2017
THE WORD FROM GOSTEV
So, all hell broke loose with NSA exploits-based ransomware impacting all businesses worldwide (including my cellular operator), just like I've predicted in this very digest 3 weeks ago. But honestly, it was easy to see coming. I hope all of you are safe having received the advanced warning, and this will teach the rest to subscribe to Veeam forums digest! One thing I did not expect is Microsoft releasing [patch against ETERNALBLUE exploit]() for all unsupported systems including Windows XP, which speaks highly on the caliber of this threat.This mess deserves the dedicated digest, but unfortunately I have over 9000 other deliverables to work on with VeeamON starting in just 2 days, so I have to keep this one short. Although from another perspective, these events are quite "fortunate" for Veeam, as it's hard to imagine a better lead into the World's Premier Availability Event (that is according to the banners in MSY airport, were I've just landed).
May 15 2017 Update
While this particular wave of ransomware is affecting older Windows versions, there have been plenty of ransomware attacks on modern OSs through to Windows 10 as well, such as CryptoLocker. Phrasing of opening paragraph adjusted accordingly.
May 18 2017 Update
Tooks some pics here at VeeamON 2017.
Jun 13 2017 Update
See several whitepapers at the Veeam Resource Library:
Yes, tape is still your best recourse to gain true air-gapping, just having a Linux-based repostory isn't quite enough.
See also at TinkerTry
-
VeeamON 2017 has some remarkable technologists, and I'll be there!
May 13 2017 -
All articles featuring Veeam.
-
Veeam Availability Suite 9.5 NFR license now available to certified IT Pros, vSphere 6.5 support coming soon
Nov 22 2016, with full vSphere 6.5 support arriving Jan 20 2017. - There's one weekly newsletter that any VMware or Hyper-V professional will enjoy, already has 35,218 subscribers
Oct 13 2015
See also
-
What you need to know about the WannaCry Ransomware
WannaCry ransomware spreads aggressively across networks, holds files to ransom.
May 12 2017 by Symantec Security Response -
Configuration for VMware VSAN
www.veeam.com/kb2273
Apr 05 2017 by Veeam -
Virtual Appliance Mode for VMs on VSAN
Apr 04 2017 at Veeam -
How to protect your data from ransomware and encryption Trojans
Aug 15 2016 by Marco Horstmann at Veeam - Veeam Backup & Replication 7.0 Patch 4: VSAN support!
Jun 05 2014 by Luca Dell'Oca at Veeam
Disclosure
TinkerTry.com, LLC is not a Veeam Pro Partner, but I am a Veeam Vanguard Program member who received travel assistance getting to VeeamOn 2017. Veeam has been an advertiser on many virtualization sites for years now, and Veeam is currently running a BuySellAds-purchased advertisement along the top of TinkerTry as well. All TinkerTry advertisement goes through third party BuySellAds. None of my articles are sponsored posts, and there are currently no affiliate links for Veeam Endpoint Backup FREE, or any of their other products. There are no commissions for any Veeam products folks buy after reading one of my articles.
TinkerTry takes extreme care to protect visitors by using only one ad network, BuySellAds, which has never had a security issue to date, and is very commonly used in the virtualization blogger community. Their CEO seems to get what's going on with ad blockers, evident in his recent post. I regularly receive lucrative offers from various companies looking to have me inject JavaScript trackers into TinkerTry, which I of course turn down.
I reserve and exercise the right to freely write about topics that I choose, whenever I choose to, an essential part of what makes blogging about home virtualization labs, storage, and backup so much fun for me. I tend to feature articles about stuff I actually use.