Veeam’s Anomaly Detection for Ransomware

Veeam’s Data Protection Trend report surveyed over 4,000 anonymous companies and found that 85% of organizations have experienced some form of ransomware in the past year. Given that a ransomware attack has a far greater chance of happening than a natural disaster, power outage or other disaster recovery (DR) event, it’s critical that IT organizations plan for quick recovery in the event of ransomware as discussed previously.

A crucial component for successful and quick recoveries is to identify the last known good backup that occurred. Without this, organizations can spend countless hours if not days attempting to restore data that is already corrupted. In fact, this report also discovered that companies took between one and two weeks to recover their data on average. This is much more time than it would take to recover from other DR events since much of the time is spent identifying and scanning for the last known clean backup.

Veeam has a three-tier approach to help companies identify the best point-in-time to recover from:

  1. Identify suspicious behavior on your actual production virtual machines (VMs) (for VMware and Hyper-V)
  2. Identify anomalies in underlying backup files
  3. Automatically scan backup files before restoring your machines into production

Identifying Suspicious Behavior on VMs

Making sure there is a recoverable backup is just the first step, but it’s also important that you monitor your entire environment for suspicious or unusual activity. Veeam goes beyond just looking at backup data for anomalies; it looks at the hypervisor and network level as well. These higher-than-normal writes on disk or CPU usage can be a sign that ransomware infected the machine. The goal of the alarm is to pinpoint the machine that is potentially infected before it can propagate to other systems.

The key to this alarm is in the historical view, however. This alarm is useful in identifying where ransomware potentially happened and what backups you should start to recover from.

Identifying Anomalies in Backups

Veeam’s Suspicious Backup File Size Analyzer lives up to its name. This alarm identifies patterns in your backup data. It also analyzes backups and looks for large numbers of file and block changes to your data. If an anomaly is detected, an alert will be sent to your system administrators.

This alarm can be easily integrated into Veeam’s main console, thanks to a brilliant script from Steve Herzig! If an anomaly is detected, it will show in the job statistics.

Simply take this script from github and place it in the post-script section of your backup jobs. Specify how many of the previous PITs you’d like to analyze in the “Depth” field and what amount of growth would be considered suspicious in the “Growth” field.

These first two steps give your business a good idea of what points in time you want to recover from. Without these steps, ransomware is the worst kind of disaster because of the countless hours or even days that are spent manually identifying when is best to recover from.

Automatically Scan Backups Before Restoring

Lastly, whether you proactively or reactively scan backups for malware, Veeam can scan your backup files before restoring machines into production. If malware is found, you can either abort the recovery or restore without attaching a network for deeper forensics.

Organizations can use any scanning tool that has a CLI. This can be Trend Micro, Bitdefender, Windows Defender, etc. Simply edit the XML file here.

Conclusion

Veeam is on a mission to help customers recover from ransomware. I have personally seen Veeam be the heroes many times for organizations who find themselves in trouble. Veeam believes that combining the steps above to identify a clean point in time with the fastest recovery options available in the marketplace is a great recipe to helping IT organizations sleep well at night.

Exit mobile version