Veeam Ransomware Detection: Your Early Warning System

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has released a joint advisory with other international partners regarding the People’s Republic of China (PRC) cyber group APT40. This advisory serves as a warning about the current threat this group poses to not only Australian networks and citizen data, but internationally, including the United States. The threats posed by APT40 and similar groups affect organisations on a global scale, adding urgency to the necessity for organisations to adopt robust cyber defences capable of detecting and mitigating threats early in their deployment stages. Veeam Data Platform is a leader in this regard, for example, with its in-line malware detection and YARA-integrated engine, among other tools, is equipped to proactively identify and counter rapidly emerging threats typified by groups like APT40.

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE 2021 44228), Atlassian Confluence (CVE-2021-31207, CVE-2021- 26084) and Microsoft Exchange (CVE-2021-31207; CVE2021-34523; CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue to exploit new high-severity and critical vulnerabilities within hours or days of public release.

It is therefore prudent to implement a multi-pronged approach to finding malicious software, as malware seeks a way to your network and systems via exploited vulnerabilities. Through EDR/XDR/MDR products, organisations can identify threats as they appear on production systems. Veeam seamlessly integrates with these cyber security products through Veeam incidents API, which then notifies the Veeam platform if a backup has been compromised and pinpoints the last clean backup.

To complement this functionality, Veeam Data Platform makes use of its Suspicious Files and Extensions list functionality. Veeam Backup & Replication’s host communicates with the Veeam Update Server to maintain an updated list of suspicious files and extensions, ensuring environments are always aware of the latest emerging threats. This list is dynamically updated via the Veeam Data Analyzer Service, which checks for updates daily while connected to the internet.

In environments where the Veeam Backup & Replication server can access the internet, the Veeam Data Analyzer Service will check for updates when the service restarts, by default, once a day. To configure this feature:

  1. Open Veeam Backup & Replication console.
  2. From the menu, select the ‘General Options.’
  3. Click on the ‘Threat Detection’ tab.
  4. Enable ‘Check backups for suspicious files and activities.’
  5. Specify the update options and the data collection level.
  6. Click ‘Apply.’

Enabling ‘Content Indexing’ during backups is another crucial step. By doing this, the software scans your documents for specific keywords and includes them in an index, which allows you to run comprehensive searches for any flagged or suspicious content later. This indexing is done during your backup jobs, not consuming extra resources and not affecting your normal operations.

For environments where internet access is restricted and the server cannot check for updates automatically, an alternative is to manually import the YARA rules into the server. You can download updated YARA rules on any environment that has internet access, then import them into the air-gapped Veeam Backup & Replication server.

Protecting your organization against ransomware attacks involves understanding these functionalities and utilizing them efficiently. Veeam’s integration of YARA rules and indexing capabilities reinforces and decomplexifies this by providing a strong base on which businesses can build a robust security posture that is capable of turning back even the latest malware.

Many organisations decided that having an internet-connected backup server connected to the production domain is a bad idea and creates an unnecessary security risk. As such, many organisations restrict production servers from accessing the internet altogether.

How can customers include the latest threats and suspicious files into their backup environment to provide ongoing scanning and identification of active or dormant threats — and do it quickly? Veeam makes this process easy, without compromising security, via an alternate method for keeping the Suspicious File List updated without direct internet access.

Let’s take a look at a list of suspicious files that ASD has included as a part of their analysis of APT40.

Now, within Veeam Data Platform’s Malware Detection menu, we can input specified file names in minutes. This updates the suspicious files engine on the Veeam server and allows Veeam to identify particular files when we back up a server from an image-based backup or from a physical server ongoing for all backups, which then keeps an eye out for malicious files that may be nested in production systems when we do a backup. (Note: This requires backup jobs to have Content Indexing Enabled.)

As you can see from the image above, we have configured our Malware Detection Settings, including the file masks that will trigger detection events. We then emulated a threat by creating a file listed above on a test VM and ran a backup job with indexing enabled.

The malware, as expected, was detected by Veeam immediately following a backup. In turn, Veeam sent out an alarm via Veeam ONE and logged a ServiceNow ticket. This included a KB Article and remediation for removal with info from the logs.

So, in the minutes following a critical threat notification by the ASD and ACSC, you are able to leverage Veeam Data Platform’s early malware detectors. The expediency of this process casts a crucial safety net over the entire environment and leverages backups to help detect what could be a very expensive threat to your business’s data and platforms.

Veeam’s ransomware detection is quick, accurate, and effective in identifying potential threats by matching patterns and signatures against a vast and continuously updated database of known malware. Veeam’s YARA integration, a gold-standard cybersecurity practice, alerts system administrators in real time to initiate automatic remediation actions tailored to the detected threat. As threat actors will perpetually attempt to compromise systems with malware which then can be used to launch attacks on production environments and backups, having capabilities to detect malware while you create your backups not only prevents future attacks, but also allows you to have clean backups for future successful recovery.

We encourage readers to explore these features more fully to truly understand its capabilities and to stay updated with planning for, protecting against, and responding to ransomware threats. Try all Veeam Data Platform security capabilities, including inline malware detections, and you will be step ahead in prevention and protection of your data. For more info on ASD’s report on APT40, you can read more here.

Is your organization prepared for a ransomware attack? Find out here.

Similar Blog Posts
Business | November 7, 2024
Business | November 6, 2024
Business | November 6, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
OK