Ten recommendations against ransomware incidents from a backup and restore perspective for this year's Holiday Season

Reading Time: 3 minutes

Holiday Season

It’s no secret that many organizations run on skeleton crews to support their infrastructures during holidays. That’s why attackers treat these days as special. With Christmas next week, we can get all the help we can get.

In many attack cycles, restoration of data is usually one of the last steps administrators can take to get their environments back. As a major player in the backup and restore space, Veeam is often used. Here are ten recommendations they recently shared with me to increase the probability of bouncing back after ransomware incidents:

This list is not intended as the ultimate list to counter ransomware. It serves as a list to go from being scared of anything going wrong to feeling more prepared.


1. Follow the 3-2-1 rule

Ultra-resilient copies are the best line of defense. These include the various Veeam Ready Object immutability solutions, the Veeam Hardened Repository (VHR), Veeam Cloud Connect with Insider Protection, Write Once Read Many (WORM) media, and offline, air-gapped media copies on disk and tape.

Veeam supports backups to tapes, but threat actors erase tapes, when they encounter them. Use Write Once Read Many (WORM) media or don’t forget to eject tapes to prevent malicious erasure.


2. Plan for Restores

When choosing where to store the copies, don’t just take the cost and speed for backups to the repositories into account. When performing massive restores, like in the case of a ransomware incident, you may encounter massive egress costs (when storing backups in cloud repositories. Also, it may take more time than anticipated, when the infrastructure is completely optimized for backups.


3. Implement Separate accounts, permissions

Don’t use domain\administrator for all purposes. Implement separate accounts applying segregation of duties (SoD) and the principle of least administrative privileges.


4. Manage your encryption password

Take care of proper encryption of backups. When using Veeam, you can optionally encrypt backups. This password is stored in Veeam Backup & Replication (VBR) and in Enterprise Manager. When these servers are lost, the encryption password may be lost, unless exported. Without the encryption passwords, you can’t restore from backups.


5. Test you restores

Ransomware recovery is not the time to find out about storage corruption. Veaam's Backup and Replication’s built-in SureBackup feature can help identify this problem, so you may correct backups before actually needing them.


6. Have the DR site ready to drive recovery

Build a Disaster Recovery (DR) site before you want to restore. Make sure all the passwords are set, including the encryption password.


7. Monitor job activity

Threat actors are disabling jobs and deleting jobs. Monitoring detects this activity in its early stages. When you no longer receive notifications or alerts, raise a different alert.


8. Use MFA wherever possible

Requiring multi-factor authentication (MFA) to access the backup host is a prerequisite. MFA is coming in Veeam backup & Replication v12. Use it as an additional measure.

Also, limit PowerShell to IP addresses using Windows Firewall or network firewalls.


9. Identify what to restore first

Have an incident response (IR) plan, so you know where to start. The first 48 hours are crucial. Know who to work with, who to contact and who to work with (law enforcement agencies, insurers, IT partners, forensic experts and the backup vendor). Their contact information needs to be available offline.

The plan might include technical activities like disabling internet connectivity, disabling peer connections, remove network cables, but most likely not powering down servers, as some ransomware will start when rebooted.


10. Restore to cloud requires some preparation

When law enforcement agencies, forensic experts and/or your insurer inspects the current systems, your current hardware cannot be used to restore to. Restoring to the cloud is a built-in feature for Veeam products, but it requires some work beforehand. Take care of networking, security accounts, etc.



Enjoy the holidays!

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.