Detect & Respond To Ransomware With Veeam ONE
Detect & Respond To Ransomware With Veeam ONE
Detect & Respond To Ransomware With Veeam ONE
to Ransomware
with Veeam ONE
Melissa Palmer
Senior Technologist, VMware Certified
Design Expert #236
Kirsten Stoner
Technical Analyst
Detect & Respond to Ransomware with Veeam ONE
Contents
Part I: Detect & Respond to Ransomware with Veeam ONE Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Detecting Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Part II: Detect & Respond to Ransomware with Veeam ONE Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Backup Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
About authors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 2
Detect & Respond to Ransomware with Veeam ONE
Abstract
Veeam® ONE™, part of Veeam Availability Suite™, is a powerful tool that provides proactive alerting,
monitoring and reporting in your environment. Out of the box, Veeam ONE can monitor your environment
for ransomware in several different ways. Veeam ONE can take things a step further by automatically taking
action when an alarm threshold is met.
Veeam ONE is extremely flexible and configurable, allowing for endless possibilities when it comes to
ransomware detection.
In this paper, we take a closer look at these capabilities in Veeam ONE in two parts, based on Veeam
ONE Monitor and Veeam ONE Reporter.Part I examines the capabilities for monitoring and responding to
ransomware in Veeam ONE Monitor.
Part II takes a closer look at the capabilities for reporting on your environment when it comes to ransomware,
including building custom reports in Veeam ONE Reporter.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 3
Detect & Respond to Ransomware with Veeam ONE
Part I:
Detect & Respond
to Ransomware
with Veeam ONE Monitor
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 4
Detect & Respond to Ransomware with Veeam ONE
Making sure there is a recoverable backup is just one step, but it is also important to monitor the entire
environment for suspicious or unusual activity. Being able to identify abnormal behavior over the network, with
backup jobs or even how resources are being used, can contribute to helping stop ransomware in its tracks.
Real-time alerting about backup job success and knowing what impacts the success of backup operations can
be beneficial for any business fighting ransomware or in general. Veeam ONE makes it easy to know the state
of your backup jobs and their status.
With backups being one of the first line of defenses for ransomware alleviation, you always want to make sure backup
jobs are successful, but most importantly that you can recover from them. Not only will it let you know if your backup
jobs finished successfully, it will also alert you if there are machines in your environment not protected.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 5
Detect & Respond to Ransomware with Veeam ONE
The above screenshot shows Veeam ONE Monitor. In this case, we have several machines that are not
protected within our defined RPOs.
Alarms to notify you about a machine’s protection status, along with backup job success or failure, allows you
to ensure you have a backup plan ready and prepared if a ransomware attack occurs.
Veeam ONE can notify on the current state of your backup server, data protection operations and the
connectivity between enterprise manager, proxies, repositories and more. When data is compromised, being
able to get the data back by restoring from a backup is an essential first response plan for any business.
Monitoring backup job success, visibility into the data center and the ability to quickly respond to any issue
affecting backups is just one way you can ensure that you are being protected. Veeam ONE even has the
intelligence to look at the data restore points and address if data is experiencing abnormal changes or activity.
Detecting Ransomware
One way to detect ransomware and prevent spread is through monitoring your environment for suspicious
activity.
Veeam ONE comes with predefined alarms that check certain counters for suspicious activity. Monitoring
for abnormal activity can help remediate issues or potentially remove machines on the network before
ransomware encrypts more data.
Veeam ONE comes with two out-of-the box alarms that can identify abnormal levels of resource usage and
high change rate on VMs. These alarms, Suspicious Incremental Backup Size and Potential Ransomware
Activity, monitor your machines in real time and are triggered when their specific resource thresholds are met.
With each alarm in Veeam ONE, there are adjustable baseline counters that you can change based on the
machine it’s assigned to or all the machines in the environment.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 6
Detect & Respond to Ransomware with Veeam ONE
If the incremental backup run is significantly different in size, this could indicate the presence of malware on
the machine, which would in turn require further investigation.
By default, the alarm will trigger when the incremental backup size has grown by 150% with a warning and
200% with an error. These counters are adjustable, so you can change them to notify you based on the
percentage change.
This alarm doesn’t just look at VM backup jobs, but also any computers running the Veeam Agent. This alarm
is assigned based on backup infrastructure, so if you have multiple backup servers added in Veeam ONE, you
can have this alarm set for a specific backup server or all. Additional options that can be set for any alarm are
remediation actions, suppression settings and notifications.
If you would like to customize an alarm’s parameters, it is always a good idea to make a copy of the alarm first.
You can have multiple copies of the alarm in your environment configured with different parameters, and they
can be assigned to different Veeam Backup & Replication™ servers as applicable.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 7
Detect & Respond to Ransomware with Veeam ONE
These higher-than-normal writes on disk or CPU utilization could be a sign that ransomware infected the machine.
The goal of the alarm is to pinpoint the machine that is potentially infected before it can propagate to other systems.
Because these are applied at the Virtual Infrastructure level, you can create copies of this alarm and apply
them at the VM or VM group level via business view rules.
For example, if you are confident in a certain application’s performance profile, you can create a copy of the
Possible Ransomware Activity alarm specifically with those parameters.
Additional parameters can also be added to the alarm as you deem fit by your requirements.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 8
Detect & Respond to Ransomware with Veeam ONE
Alarms in Veeam ONE are based on rules, which can have many definitions and parameters. With Veeam ONE
alarm rules, you can monitor most aspects of your virtual machines, and you can have multiple rules per alarm.
When it comes to creating custom alarms to monitor your environment for ransomware, there are many possibilities.
Resource usage is always an interesting area to examine, since in many cases we know how our virtual
machines are expected to behave by looking at their historical performance data in Veeam ONE.
Some examples of resources you can monitor for your virtual machines are:
• CPU usage
• Memory usage
You can also create custom alarms to monitor your vSphere or Hyper-V hosts.
Note: Please see the Complete Alarm Rules for VMware vSphere https://helpcenter.veeam.com/docs/one/alarms/
vsphere_alarm_rules.html?ver=110 and the Complete Alarm Rules for Hyper-V https://helpcenter.veeam.com/docs/
one/alarms/hyperv_alarm_rules.html?ver=110 to see the complete capabilities of what Veeam ONE can monitor.
Let’s take a look at an interesting use case for one of these Rule Trigger Types.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 9
Detect & Respond to Ransomware with Veeam ONE
An alarm can be created to monitor the number of running services on your virtual machine. In this case, you
would use the Rule for specific conditions or state, and select Processes and services.
There are a number of rules that can be leveraged when it comes to processes and services:
One interesting thing to monitor is the number of running services. In the event a piece of malware starts
a new service, the alarm would then be triggered in Veeam ONE.
At this point, beyond generating an alert, Veeam ONE could also take action via a remediation action.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 10
Detect & Respond to Ransomware with Veeam ONE
One of the most popular Veeam ONE alarm and remediation action combinations is the VM with no backups
alarm. When this alarm is triggered, a number of actions can be configured to execute, such as:
• Start VeeamZIP
These actions can execute automatically, or by approval if a remediation action is set to by approval. It will
need to be approved in Veeam ONE Monitor before it executes.
NOTE: For a complete list of pre-defined remediation actions in Veeam ONE, please see:
https://helpcenter.veeam.com/docs/one/alarms/appendix_remediation.html?ver=110
First, a script that can be executed by Windows must be created to accomplish the action.
After the script has been created, the Actions tab should be configured in the Veeam ONE alarm that will
serve as the trigger:
First, depending on how you configured your alarm, decide if you would like to run your remediation
action when the information, warning, or error thresholds of the alarm are met. You can also have multiple
remediation actions in an alarm to act on each threshold, or to simply perform multiple tasks.
Simply enter the path to the script you would like to execute, and then decide if you would like to execute
Automatically or By Approval.
Veeam ONE remediation actions are flexible and allow Veeam ONE to execute virtually any action that meets
the requirements within your environment.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 11
Detect & Respond to Ransomware with Veeam ONE
For example, you may choose to create remediation actions based on the out-of-the-box ransomware alarms
in your environment, or ransomware alarms you created or customized on your own.
Let’s take a look at two possible ways you can respond to ransomware alarms to get a few ideas.
The first example would be to disconnect your VM from the network if a ransomware alarm is triggered. Since
this will impact production, you may want to set this to By Approval, and ensure the alarm is also sending
alerts to your operations team. Your team will then be quickly alerted, and can determine if they want to go
ahead and disconnect the network card for further investigation.
Another example would be to run a preconfigured SureBackup® job with Virus Scan enabled. This would be
non-invasive to your production environment, so you may set a remediation action to automatic, and be sure
your operations team is promptly alerted.
NOTE: For more on configuring a custom remediation action, see the Veeam ONE documentation
https://helpcenter.veeam.com/docs/one/alarms/alarm_actions.html?ver=100
Beyond an alarm being visible in Veeam ONE Monitor, there are a number of notification actions that can be
taken when an alarm is triggered.
• Run script
Configuring the appropriate notifications in your environment ensures you will always be promptly alerted to
suspicious activity in your environment. Multiple notification options can also be configured.
NOTE: For more information on how to configure Veeam ONE alarm notifications, please see the Veeam ONE
documentation.
https://helpcenter.veeam.com/docs/one/alarms/alarm_notifications.html?ver=110
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 12
Detect & Respond to Ransomware with Veeam ONE
Part II:
Detect & Respond
to Ransomware
with Veeam ONE Reporter
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 13
Detect & Respond to Ransomware with Veeam ONE
First and foremost is the VM Change Rate History report in the Veeam Backup Monitoring category.
When malware infects a machine, it starts encrypting and changing the data, making it inaccessible. The
VM Change Rate History report wasn’t initially intended for detecting ransomware, but since it looks at how
the machine is changing, specifically the amount of changed data, it can help identify if there is abnormal
activities occurring in the machine. For a better understanding of this report, it analyzes the incremental
run of the backup job. Since Veeam Backup & Replication uses Change Block Tracking (CBT) technology, it
analyzes those blocks of data that have changed and then backs up only the changes of that data. If malware
is installed and changing data, this counter could be higher than expected in most cases.
This report easily identifies the top VMs based on their change rate and drills down to specific backup jobs,
the VMs included and the average change rate of those VMs.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 14
Detect & Respond to Ransomware with Veeam ONE
The report above identifies VMs with the largest and least amount of change rate based on backup job runs.
The change rates in this report are based on changes occurring on the VM disks. This can help you identify VM
files that are increasingly growing.
Veeam ONE contains many different reports that not only show how your machines are changing from a
production viewpoint with how many resources its consuming, but also how the backup files are growing.
Since ransomware changes the files on the machine, running multiple reports to analyze the environment can
contribute to pinpointing abnormal behavior.
The Veeam Backup Files Growth report can help with capacity planning for backup repositories, but it can also
allow you to have visibility on how much your backup files are growing. The report can identify backup files
that grow too fast, so you can reconfigure backup jobs as you see fit. However, since it takes a look at how
backup files are growing, it’s important to be aware of how the data is changing and growing to identify what
could be considered abnormal.
Similar to alarms, reports can be set up to be delivered to your inbox, so you can check these reports daily,
tracking VM change rate and growth.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 15
Detect & Respond to Ransomware with Veeam ONE
Backup Reporting
We’ve discussed how one of the ways to remain resilient in the fight against ransomware is to ensure your data
is properly protected, so if you were to experience an attack, you can restore from a backup. The protected
VMs report helps identify machines that are meeting recovery point objectives (RPOs) with a valid restore
point within this specified time period. Along with identifying those machines that are protected, it shows
which machines are not protected. This report is available for any workload you are using Veeam to protect:
physical, cloud or virtual machines.
Right from the front page of the report, you can see how many of your machines are protected or
unprotected. As you flip through the rest of the report, you can see the names of the VMs and the date of the
last successful job run.
The reporter allows you to build reports based on different parameters, so if the predefined reports included
don’t fit your needs, you can create one. Custom reports allow you to define your own configuration
parameters, performance metrics and filters.
The Backup Infrastructure Custom data report enables you to base the report on your backup objects such as
backup servers, backup jobs, VMs and computers. For example, you want a report that tells you if your virtual
machine has a valid restore point (to makes sure you can recover), you want to see the size of the backup file,
how big its increments are, and lastly, you want to make sure the VM isn’t growing too large. This is easily
configurable in the custom reports section of Veeam ONE Reporter.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 16
Detect & Respond to Ransomware with Veeam ONE
There are several different properties you can base the report on. I chose these properties because I want to
make sure I have a valid restore point and because I’m keeping an eye out on how big my backups are and how
big my VMs are becoming.
The ability to create custom reports provides a view of key aspects of my environment that might not be
shown in a pre-defined report. Once you save the report, you can set it up to be emailed to your inbox.
Report customization isn’t limited to only backup objects. If you have your vCenter server added into Veeam
ONE, you can create reports based on your virtual environment as well. The VMware custom performance
report can show visibility into performance issues in your environment. You can monitor specific CPU, memory,
network and disk metrics to analyze the performance of vSphere hosts, datastores and VMs.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 17
Detect & Respond to Ransomware with Veeam ONE
Backing up your data, is only one way you can recover from an incident, but when it comes to email phishing
or other means of ransomware encryption and entry into the environment, security awareness training and
ensuring software is being updated to reflect the current landscape can be beneficial. Being resilient and
having visibility into your data center through different monitoring and reporting tools can help stop the
spread and contain the virus so it doesn’t cost more downtime or data loss.
When it comes to ransomware, having a strategy to prevent but also recover from a malicious attack should
be an important part of any business strategy. Veeam ONE provides visibility into the virtual environment,
providing alerts on resources usage in real-time. With two out-of-the-box alarms plus the ability to create
custom alarms based on tasks or events, performance usage and in-guest processes and services, Veeam ONE
is a great tool to start using to prevent and combat the threat.
Real-time alerting and reporting capabilities that allow you to keep an eye on activity that is normal as well as
suspicious and unusual can keep any business resilient. At this stage of ransomware intelligence, it’s not a matter of
if, but when, with monitoring tools like Veeam ONE providing an extra level of visibility to keep your data safe.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 18
Detect & Respond to Ransomware with Veeam ONE
About authors
Melissa Palmer is Senior Technologist on the Product Strategy team at Veeam and
a VMware Certified Design Expert (VCDX-236). Melissa has been focused on the
full infrastructure stack in her career, and started out as an VMware engineer for
a number of enterprise environments. You can find Melissa on twitter @vMiss33
or at her blog https://vMiss.net.
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 19
Detect & Respond to Ransomware with Veeam ONE
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 20
Proteção contra ataques internos para Veeam Cloud & Service Providers
Detect & Respond to Ransomware with Veeam ONE
Cloud
Data
Backup
for what’s next
5 Stages of Cloud Data Management —
start your journey today!
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 21
© 2019 Veeam Software. Informações confidenciais. Todos os direitos reservados. Todas as marcas comerciais são de propriedade dos respectivos titulares. 14