What Veeam is doing to help protect you from ransomware like WannaCry

Posted by Paul Braren on May 13 2017 (updated on Jun 13 2017) in
  • Backup
  • Windows
  • ESXi
  • VMware
  • Veeam Agent for Microsoft Windows



    WannaCry Outcry

    This week ransomware got even nastier, with a new levels of proliferation. Being around a bunch of storage and availability experts this upcoming week at VeeamON is great timing, should make for some interesting conversations, even if this particular attack is mostly hitting older versions of Windows.

    Not sure what this WannaCry is? First, have a look at the Wikipedia page:

    WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.
    WannaCry is believed to use the EternalBlue exploit, which was put into open access by Wikileaks, and was allegedly developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems.

    Patrick Norton on May 12 2017 DTNS 3029.

    Next, have a brief listen to Patrick Norton on May 12th's DTNS here, while reading:

    What is Veeam doing to help you protect yourself?

    Blunt blog posts

    What does VEB (Veeam Endpoint Backup FREE) try to do, to mitigate the risk? First and foremost, they hit the topic head-on here:

    Backup to removable hard disk

    Next, there's VEB 1.5's introduction of automatic detachment of a USB drive when done, see:

    My use case is backing up a distant uncle's laptop, where there is no network share or NAS to back up to. Instead, he's using a local USB attached hard drive. This sort of backup method is a nice start, but it has its limitations, see VEB 1.5: Eject removable storage & no need to unplug:

    by Gostev » Thu Mar 24, 2016 6:44 pm
    From what I remember, we planned and even implemented the option to auto-mount, but mounting did not work reliably enough for including this feature into the release, and the issue was not due to our bugs (there's very little code required anyway). May be Dima can provide more details on what exactly did not work.

    When automatic USB disconnect is enabled, VEB 1.5 requires the user to physically unplug then plug in again after each backup for the next backup to happen.

    I've also been experimenting with auto-VPN reconnect for one of my VEB-on-Dell-XPS15-equipped sons away at college, but recent data caps implemented by Cox here in Connecticut make such personal cloud schemes challenging. Argh. Even better would be scheduled VPN used just for backup windows, see more product feedback/ideas here.

    Backup to network share

    Then there's VEB's approach to network shares/CIFS/SMB, explained by Anton Gostev Feb 24 2016 here:

    Backup from VEB to Veeam backup repository is done through the proprietary protocol. There is no need to open up ports for SMB traffic between EP client and VBR server, as SMB traffic only flows between the gateway server specified in shared folder repository setting, and the share. While source data mover (running on the endpoint) and target data mover (running on the gateway server) chat with each other using the proprietary protocol. So, you're safe until someone builds CryptoLocker that is specifically designed to attack Veeam repositories.

    Veeam Agent for Microsoft Windows

    Next up, it's the renamed and updated new version, still free, see:

    with Anton Gostev's forum announcement here, will have to see what changes are made when that becomes GA very soon.

    Veeam Repositories

    Finally, there's Veeam Availability Suite including Veeam Backup & Replication, which VEB and Veeam Agent physical systems can use as a backup target. Seems to offer the same advantages of avoiding SMB attacks, and allows centralized daily backup management.

    I'm sure ransomware will work its way into multiple presentations that I'm headed to this week.

    Closing thoughts

    Ultimately, it's up to you, the IT Pro typically holding the responsibility for trying to keep your family and friends reasonably safe. That's quite a challenge. At least Veeam is trying to help you in this difficult task, and offers IT Pros the needed bits to test for themselves, with no time-bomb.

    May 14 2017 Update

    Check out this excerpt from Anton Gostev's famous weekly newsletter that came out on May 14 2017:

    Veeam Community Forums Digest May 8 - May 14, 2017
    So, all hell broke loose with NSA exploits-based ransomware impacting all businesses worldwide (including my cellular operator), just like I've predicted in this very digest 3 weeks ago. But honestly, it was easy to see coming. I hope all of you are safe having received the advanced warning, and this will teach the rest to subscribe to Veeam forums digest! One thing I did not expect is Microsoft releasing [patch against ETERNALBLUE exploit]() for all unsupported systems including Windows XP, which speaks highly on the caliber of this threat.

    This mess deserves the dedicated digest, but unfortunately I have over 9000 other deliverables to work on with VeeamON starting in just 2 days, so I have to keep this one short. Although from another perspective, these events are quite "fortunate" for Veeam, as it's hard to imagine a better lead into the World's Premier Availability Event (that is according to the banners in MSY airport, were I've just landed).

    May 15 2017 Update

    While this particular wave of ransomware is affecting older Windows versions, there have been plenty of ransomware attacks on modern OSs through to Windows 10 as well, such as CryptoLocker. Phrasing of opening paragraph adjusted accordingly.

    May 18 2017 Update

    Tooks some pics here at VeeamON 2017.


    Jun 13 2017 Update

    See several whitepapers at the Veeam Resource Library:

    Yes, tape is still your best recourse to gain true air-gapping, just having a Linux-based repostory isn't quite enough.

    See also at TinkerTry

    See also


    Veeam Vanguard Program.

    TinkerTry.com, LLC is not a Veeam Pro Partner, but I am a Veeam Vanguard Program member who received travel assistance getting to VeeamOn 2017. Veeam has been an advertiser on many virtualization sites for years now, and Veeam is currently running a BuySellAds-purchased advertisement along the top of TinkerTry as well. All TinkerTry advertisement goes through third party BuySellAds. None of my articles are sponsored posts, and there are currently no affiliate links for Veeam Endpoint Backup FREE, or any of their other products. There are no commissions for any Veeam products folks buy after reading one of my articles.

    TinkerTry takes extreme care to protect visitors by using only one ad network, BuySellAds, which has never had a security issue to date, and is very commonly used in the virtualization blogger community. Their CEO seems to get what's going on with ad blockers, evident in his recent post. I regularly receive lucrative offers from various companies looking to have me inject JavaScript trackers into TinkerTry, which I of course turn down.

    I reserve and exercise the right to freely write about topics that I choose, whenever I choose to, an essential part of what makes blogging about home virtualization labs, storage, and backup so much fun for me. I tend to feature articles about stuff I actually use.